When conducting research for this year’s State of Software Security report, we looked at how “nature” and “nurture” contribute to the time it takes to close out a security flaw. For the “nature” side, we looked at attributes that we cannot change, like application size or age. For “nurture,” we looked at application attributes we can change, like security scan frequency and cadence.
We found that the “nature” of applications can have a negative effect on how long it takes to remediate a security flaw. Applications with a high flaw density take, on average, 63 days longer to remediate security flaws than applications with a lower flaw density. Large applications or organizations and old applications also slow down remediation.
But on a positive note, we found that there are ways you can “nurture” applications (even when the “nature” is less than ideal) to speed up time to remediation. Over the next several weeks, we will provide three tips – including frequent and steady scanning and API integration – for nurturing applications. The first tip, proven to be the most effective method for nurturing the security of your applications, is using dynamic application security testing (DAST) in conjunction with static application security testing (SAST). In fact, we found that organizations that combine DAST with SAST address 50 percent of their open security findings almost 25 days faster than organizations that only use SAST.
Why does using DAST with SAST improve time to remediation?
Static analysis scans for flaws during the development phase of the software development lifecycle (SDLC), and it looks for common issues, such as directory traversals, Cross-Site Scripting, and various injection flaws. Dynamic analysis scans during runtime, looking for issues with server and deployment configuration and authentication issues.
The chart above shows how much deeper the scanning goes when DAST is added to SAST. As you will see, dynamic analysis is able to draw out significantly more flaws when added to static analysis than when static is used alone. For example, static analysis finds around 10 percent of CWE-297 flaws, but when DAST is added, the number of CWE-297 flaws discovered more than doubles.
It can be surmised that when developers see the flaws drawn out by dynamic analysis, not just the magnitude of flaws but the severity and exploitability, developers are more likely to remediate the security flaws at a faster rate.
To learn more about our nature vs. nature findings or for additional information on the benefits of adding DAST to SAST, check out our recent State of Software Security report. And stay tuned for our Nature vs. Nurture Tip 2 and Tip 3 blogs, coming soon!