While it’s certainly not surprising that simply beginning an application security program reduces application security risks, it is good news.
According to application security firm Veracode’s seventh annual State of Software Security (SoSS) report, an impressive 46 percent reduction in flaw density can be achieved just by putting in place formal application security processes and application security scanning.
When good application security practices are embraced by an organization and discipline added to these programs, the results improve even more.
As Colin Domoney wrote in the Veracode blog post, Our latest research: Some AppSec programs are dramatically reducing risk, “Our data reveals that for larger AppSec programs (those with more than 20 applications managed), the top performers had vulnerability fix rates 68 percent better than average performers.”
The report found that when organizations worked with experts to set flaw remediation priorities, the density of flaws in code was reduced by 1.45 times. Those enterprises that provided even more developer education enjoyed a 6x reduction in flaw density.
Also according to Veracode, about a quarter of applications tested with Dynamic Application Security Scanning (DAST) had cross-site scripting vulnerabilities, while about half of applications tested with SAST had cross-site scripting vulnerabilities. And of the top five flaws discovered through dynamic scanning, one (deployment configuration) was not present at all in the list of vulnerabilities uncovered by static analysis.
“The major takeaway here is that neither type of test is necessarily better than the other, they’re just different. As such, it is important for security managers to remember that no single testing mechanism is going to solve all of their application security problems. It takes a balanced approach to properly evaluate and mitigate risks,” Domoney wrote.
That’s excellent insight, not only for application security, but in many facets of information security as well.
One key step to protecting at-risk enterprise applications