Developers today frequently find themselves between a rock and a hard place. The business may not place security at the top of its priorities, but we all know how vital it is – and in today’s agile and DevOps working environments, developers cannot afford to finish applications and then leave the tidying up to the security team.
A new report from Veracode issued today argues that while developers do care about security, and are getting better at it, more work still needs to be done – including to ‘think like an attacker.’
The application security company, in its latest developer guide to the state of software security, used 400,000 application scans in a 12-month period between April 2016 and 2017. From that data, developers only documented mitigations for only 14.4% of all flaws, and of that number, only 25% were false positives – in other words, issues that weren’t actually there, or ‘gaming the system’ as the report puts it.
This doesn’t mean that application security is as high as it could be, however. Comparing against the OWASP top 10 vulnerabilities – broken access control, security misconfiguration, and so forth – applications passed only 30% of the time on the first scan.
This is not especially different from previously; the rate has been consistently at one third or below for the past five reports. SQL injection flaws appeared in 27.6% of newly scanned apps this year, a lower number than previously but similar to the past five reports, all between 29% and 32.2% respectively. Yet, the report notes, organizations with AppSec programs in place for at least 10 years do considerably better. Rating against the OWASP top 10 pass rate, the figure comes in at 43% pass.
So what can be done to get an AppSec strategy in place? The report offers several ideas. The report advocates to think like an attacker after finding that some developers ‘may be brushing off security recommendations based on some unsound assumptions about how applications can potentially be attacked.’
“One common risk factor we found in mitigation comments was that some developers are still trusting inputs from users to a troubling degree,” the report notes. “While 99% of legitimate users would never enter anything malicious into an input field, it’s that slim minority of attackers we still need to worry about.”
Another way of improving is to move to a DevSecOps environment. As DevOps demands organizations test and iterate more often, DevSecOps demands that they should up the frequency of their security scanning as well. Year on year, the report found the figures are slowly going up. More than a third (36.5%) of organizations still test only once a year, yet down from 38.5% of organizations in 2016. The proportion of organizations who test monthly, twice monthly, and weekly, all went up.
Perhaps the most interesting part of the survey related to the relationship between developers and security professionals. If they still view each other with, at best armed neutrality and at worst contempt, then this has to change, the report notes. “If we’re ever going to get to the point where we’re bridging the gap between developers and the security team, there has to be a change in attitudes on both sides,” the report explains.
“Developers who see security experts both internally and externally as a resource rather than as an adversary tend to make big gains on risk reduction within application portfolios.”