Development View on Application Security
As ties between application developers and security professionals grow closer than ever through the shift to DevOps and continuous testing, developers are increasingly tasked with more hands-on security testing and mitigation work. The information contains information for developers seeking to improve their security game.
REMEDIATION
REMEDIATION
TESTING
TESTING
APP DEVELOPMENT
APP DEVELOPMENT
DOWNLOAD REPORT
DOWNLOAD REPORT
Getting to Remediation
The goal of security testing is to put the right tools in the hands of security and development teams so they can fix flaws as efficiently as possible.
54%
VOLUME 7
51%
VOLUME 6
STATE OF SECURITY SOFTWARE VOLUME
Average Fix Rates of Vulnerabilities
Fix rate of vulnerabilities discovered in the first scan compared to those revealed in the last scan was about 54%.
CORRECT!
The measurable effects of this kind of testing are undeniable. Even just a single sandbox scan improved an organization's software fix rate almost two-fold.
INCORRECT!
The measurable effects of this kind of testing are undeniable. Even just a single sandbox scan improved an organization's software fix rate almost two-fold.
Importance of Sandbox Testing
Veracode also offers the capability for developers to test in a sandbox mode that gives them a chance to perform regular assessments that are effectively 'off-the-record.' This gives developers the freedom to test and improve code incrementally without anyone breathing down their necks about poor early results.
FIX RATE EFFECTS OF SANDBOX TESTING
30%
Avg. fix rate with no sandbox scans
59%
Avg. fix rate with 1+ sandbox scans
Flaw Density
On average, flaw density is typically almost cut in half between the first assessment and the final reassessment at any given organization.
67
36
Flaws/MB
First assessment
Reassessment
REMEDIATION COACHING
There are several practices that can greatly improve flaw density metrics during remediation. For example, remediation coaching improves flaw density reduction by about 1.45x.
% reduction
Latest scan
First scan
eLEARNING & DEVELOPER TRAINING
Even more dramatic, eLearning and developer training go even further, giving organizations six times better flaw density reduction metrics.
% difference
Latest scan
First scan
Impact DevOps & Continuous Testing
The majority of applications today just get the bare number of rescans necessary to get them into policy compliance.
Policy Reassessment
About 9% of applications get more than 15 policy scans within an 18-month period. But the telling thing was that on the upper range there were some organizations doing as many as 776 policy scans during that same time period--about 1.4 official scans per day. And when accounting for scans in sandbox mode, that grew to as many 6 scans per day.
40%
51%
9%
Rate of policy reassessment in 18-month period
Only one scan
2-15 scans
15+ scans
Test Your Knowledge
The ability to frequently test applications is going to be crucial to the success of secure development initiatives at companies with continuous development and deployment models like those found in DevOps environments.
What is the average number of scans per app?
1
1
3
3
5
5
7
7
10
10
INCORRECT!
While the average scan per app is 7, there are some good signs popping up that DevOps and continuous testing practices are starting to creep into organizations. About 9% of apps get more than 15 policy scans in an 18-month period, there were some organizations doing as many as 776 policy scans in the same time period.
Developer practices are changing
Suggestions certain organizations are moving toward DevOps and continuous delivery patterns
CORRECT!
While the average scan per app is 7, there are some good signs popping up that DevOps and continuous testing practices are starting to creep into organizations. About 9% of apps get more than 15 policy scans in an 18-month period, there were some organizations doing as many as 776 policy scans in the same time period.
Developer practices are changing
Suggestions certain organizations are moving toward DevOps and continuous delivery patterns
Application Development Landscape
These data points provide a valuable glimpse into today’s preferences for programming languages in the enterprise, along with breakdowns on how prone certain languages are to security imperfections.
VULNERABILITY TYPES
Over the last three years, the relative ranks for these languages have remained largely unchanged but there are some new entrants into the field and they're becoming statistically significant fairly quickly.
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
Cross-site scripting
SQL injection
Cryptographic issues
Credentials management
WHAT DOES ALL OF THIS MEAN?
