Over the past year, our scans of thousands of applications and billions of lines of code found a widespread weakness in applications, which is a top target of cyber attackers. And when you zoom in from a big picture view down to a micro-level, there are a few industries that are struggling to keep up with the rapidly changing cybersecurity landscape and combat the tactics of malicious actors today.
One of these sectors is healthcare. Healthcare organizations hold some of the most sensitive personal data, yet they have been victims of several high-profile breaches in recent years. In 2017 alone, healthcare data breaches increased, with one breach impacting more than one million individuals, and 14 breaches of more than 100,000 records. According to the Veracode 2017 State of Software Security report (SOSS), which includes scan data collected from our own platform over the past year, healthcare organizations made security strides, increasing OWASP policy compliance by an average nine percent between an application’s first and last scan. But healthcare applications had a high prevalence of flaws in the information leakage (55 percent) and cryptographic issues (52 percent) categories.
The Raw State of Untested Software
In theory, the growing awareness of security within the developer community should be prodding the overall body of coders to improve their daily programming best practices. Unfortunately, the stats don’t reflect this. We saw OWASP pass rates, for example, drop by about eight percentage points from last year. However, this may be related to the new companies added to the scan, including healthcare, hospitality and retail apps being scanned for the first time this year.
On the bright side, OWASP pass rates have improved by a statistically significant number compared to our initial data in 2010. And when organizations first scan their applications for vulnerabilities, they’re bound to find flaws. Still, we hope that our research into vulnerability prevalence would show a little bit of improvement on the raw state of software before security testing. If you’re looking for a silver lining, note that the lowest performing industries (healthcare and government) in last year’s SOSS study experienced the smallest declines in pass rate year-over year. That silver lining becomes a mere sliver when you look at the percentage of applications affected and the top three vulnerabilities in the healthcare industry, which includes information leakage (55.2 percent), cryptographic issues (51.5 percent) and code quality (35.1 percent).
And this year, we also took a peek at how many applications within an industry were undergoing their first policy scan as compared to the rest of the portfolio under current testing. A higher percentage of new applications undergoing their first policy can, such as healthcare, tends to suggest that those organizations are just getting started with their application security maturity process.
Meanwhile, healthcare among other industries on-boarded the most applications relative to the size of their portfolios. This could go a long way toward explaining their good performance in remediation from first scan to latest scan. With so many new applications added, these industries likely were able to take care of a lot of low-hanging fruit, namely easy-to-fix flaws that were newly found.
How to Scale Up Security Success
The good news is that it’s not all doom and gloom. For instance, the latest SOSS report highlights manufacturing and aerospace organizations have already made security part of their software development process. As a result, they have the highest OWASP pass rate on latest scan (30.5 percent) of any industry grouping, and the lowest proportion of applications undergoing their first assessment (nearly 40 percent). It goes to show that if you stick with a solid security program, improve security through testing and give your developers the resources they need for testing and remediation, then all industries will be able to improve their application security posture — including healthcare.
Our research shows that organizations that do testing and remediation are prioritizing the worst vulnerabilities, reducing flaw density on very high and high severity flaws at twice the clip of the overall field of vulnerabilities. Nevertheless, only 14 percent of the most severe flaws are fixed in under a month, and nearly 12 percent of applications have at least one high or very high severity flaw.
The latest SOSS report lets us think long and hard about where we need to go in order to achieve AppSec maturity. And while it seems like we are moving the application security needle slowly, there is a bright light at the end of the tunnel. With the right program in place, all industries can improve the state of software security. Looking to improve AppSec in your organization? Consider testing early and often, give developers the resources they need, and fix what you can, starting with the bugs that matter the most.