DevOps Producing more Insecure Apps than Ever Before


Traditional applications are still introducing risks to the enterprise. The number of serious vulnerabilities is on the rise across most sectors. This is according to WhiteHat Security in their 2018 Application Security Statistics Report: The Evolution of the Secure Software Lifecycle. The report found that as well as traditional applications, the vulnerabilities in agile development frameworks, micro-services, application programming interfaces (APIs) and cloud architectures also pose security challenges.

Still a Long Way to Go

Although there have been some noticeable improvements in the financial, healthcare and retail sectors, all major industries struggle with long windows of exposure. When mixed with the length of time to repair vulnerabilities, these factors have bigger risk levels beyond those of last year’s report.

“Businesses are transitioning from traditional applications and legacy systems to web and mobile applications that are purpose-built to serve up superior customer experiences,” said Craig Hinkley, CEO of WhiteHat Security. “However, the downside of changing the software lifecycle to speed up the process is the inherent introduction of risk. Therefore, any organization that fails to build security into its app development process is will-fully being left exposed to those ever-present threats.”

Taking on New Practices

New applications have become the base of how an enterprise can transform digitally. To add more value to what they offer, companies have had to take on new practices of software development. However, the findings in the report suggest that businesses are still not implementing security into the lifecycle of app development.

The report revealed that almost 70 per cent of each application is comprised of reusable software components. What’s more, the top 4 most likely vulnerability – information leakage (45 per cent), content spoofing (40 per cent), cross-site scripting (38 per cent) and insufficient transport layer protection (23 per cent) – have not changed in the past year.

A Need to DevOps Security

“DevOps is now mainstream, but the adoption of security within the DevOps process is still lagging. Our work to track this trend for the past three years has shown that organizations continue to grapple with an increase in application releases, increased volume and complexity of attacks, and an ever-widening AppSec skills gap,” said Setu Kulkarni, vice president of corporate strategy at WhiteHat Security. “However, we also find that organizations that successfully embed security into DevOps experience a 50% drop in their production vulnerabilities and that their time to fix improves by 25%.”

Join us for ESRM UK

The need to adopt a holistic approach has never been more pressing as the methods by which enterprises collect, share and store data continues to increase in complexity and diversity. Join us in March 2019 as we discuss what is needed to define information and security risk management in a way which identifies it as a core business function in equal prominence with financial performance and customer satisfaction.