Application Security Observability Report Shows Developers Write More Secure Code the More They Use the Contrast Platform
One way that organizations can speed their development cycles while improving the security of their applications is for developers to learn how to avoid specific vulnerability types as they write custom code. This results in fewer vulnerabilities over time and presents organizations with the opportunity to reduce existing security debt.
But this is easier said than done. Developers are overwhelmed with aggressive release cycles and do not have the time to take months off work to attend comprehensive security training. And it is difficult to teach these concepts in a theoretical classroom setting anyway. Equally challenging is figuring out a way for corporate trainers—or even engineering managers—to teach the concepts using projects currently in progress.
Fortunately, analysis of telemetry data from all the applications protected by Contrast Assess, Contrast Protect, Contrast OSS, and Contrast Scan shows that our customers are improving the security of their coding after being on the platform for a relatively short time. More on that later, but first some discussion of vulnerabilities and attacks in general—which illustrates why this is such an important achievement.
VULNERABILITIES 39% MORE LIKELY TO BE SERIOUS
Per our just-released 2021 Application Security Observability Report, a significantly higher percentage of applications had serious custom code vulnerabilities this year than last year—34% this year compared with 26% last year. Overall, 13% of applications have one or two serious vulnerabilities, while 3% have more than 100.
Just as concerning is the percentage of all vulnerabilities that are serious (High or Critical)—39% this year compared with 28% last year, a 39% increase! A greater share of serious vulnerabilities means increased risk for organizations and greater urgency to speed up remediation.
Nearly 4 in 10 vulnerabilities identified in the past 12 months were High or Critical.
APPLICATIONS IMPACTED BY INSECURE CONFIGURATION QUINTUPLE
Broken access control and cross-site scripting (XSS) continued to be the top two vulnerability types in terms of the percentage of applications they impact, and both impacted 18% of applications—a significantly bigger share than last year. Broken access control garnered a 35% increase, while XSS saw a 20% jump. Also noteworthy—and a cause for concern—was the percentage of applications with insecure configuration vulnerabilities, which quintupled from 1% to 5%.
Broken access control, cross-site scripting (XSS), and insecure configuration vulnerabilities impacted a significantly larger share of applications this year.
HIGHER LIKELIHOOD AND IMPACT VULNERABILITIES MORE PREVALENT
Notwithstanding, the risk presented by a vulnerability depends heavily on the impact it would have on the business if it were exploited. Contrast Labs rates each vulnerability type as high, medium, or low impact. For example, SQL injection is high impact because it can result in a full takeover of a database. When looking at the prevalence of higher-impact vulnerabilities, it is possible to create a matrix of likelihood and impact like the one below.
Given these ratings, it is instructive to see which medium and high-impact vulnerabilities have medium and high prevalence. The three boxes closest to the upper left in the illustration below—high likelihood/high impact, medium likelihood/high impact, and high likelihood/medium impact—covered 40% of vulnerabilities this year compared with just 28% last year. This should get the attention of anyone involved in application security. Along with the higher proportion of vulnerabilities that are serious, these findings accentuate the need to reduce security debt and prioritize remediation according to risk.
A combination of high likelihood/high impact, medium likelihood/high impact, and high likelihood/medium impact vulnerabilities increased this year.
ATTACKS CONTINUE APACE BUT DECREASE IN VIABILITY
Looking at attack data from our customer base, the typical organization was pummeled with 25,343 attacks per month over the past year, so the volume remains relentless. But an even smaller share of those attacks was viable—that is, hit an existing vulnerability—than last year. In fact, the viability rate was cut in half, from 2% to 1%.
While this is good news in the short term, the 99% of attacks that were “probes” are not totally useless to attackers: Information gleaned from them can help bad actors narrow down the spots on an attack surface that are most vulnerable.
In terms of attack types, several impacted a significantly higher share of applications than last year, including SQL injection, broken access control, XSS, command injection, and expression language (EL) injection.
The running average for the percentage of attacks that were viable steadily declined, reaching 1% for the past 12 months.
VULNERABILITY ESCAPE RATE (VER) DECLINES FROM 12 TO 1 IN A YEAR
Now, back to the idea of helping developers learn to write more secure code. Fortunately, there is some good news on that front. Overall, our findings indicate that the longer an application is on the Contrast Application Security Platform, the fewer new vulnerabilities it reports. In the first two months, the typical application sees 12 new vulnerabilities—6 of them serious. After a year, a piece of software sees just one non-serious vulnerability.
We call this the vulnerability escape rate (VER), and it declines by 92% over a 12-month period. It is a subset of the defect escape rate (DER), a common metric used to measure the number of defects caught post-production compared with those caught in pre-production by QA teams and developers.
The reduction in VER is the result of the immediate feedback that developers receive from the Contrast platform when a vulnerability occurs, along with contextual information on how to fix it. This provides contextual, on-the-job security training for developers, helping them to avoid the same mistake in the future. After a year, most developers will have gone through this process for most major vulnerability types, resulting in much more secure custom code because developers learned how to avoid a mistake just after they made it.
The vulnerability escape rate (VER) declined from 12 in the first two months to just 1 after 12 months.
TAKEAWAYS
The vulnerability and attack data in the 2021 Application Security Observability Report reveals the advantage that users of the Contrast Application Security Platform have when it comes to getting on top of vulnerabilities. Important takeaways include:
- Quick remediation is increasingly important as more vulnerabilities are serious. Nearly four in 10 vulnerabilities are serious, and 40% are relatively high in prevalence and impact. The more quickly these problems can be fixed, the better the organization’s risk profile.
- Attacks are relentless, highlighting the need for timely response. Tens of thousands of attacks hit the typical organization every month. And although the vast majority of these are probes, viable attacks will eventually come and individual applications typically experience hundreds every month. This accentuates the need for both quick remediation of vulnerabilities found in production and runtime protection when attacks do occur.
- There is light at the end of the tunnel when it comes to new vulnerabilities. The typical application on the Contrast platform sees only one new, non-serious vulnerability after the first year—a dramatic improvement over the first two months. This means that with immediate feedback, developers can really learn to avoid vulnerabilities in custom code.
- Observability is key. Traditional approaches to application security do not distinguish well between the riskiest vulnerabilities and those that pose little or no risk. Contrast users have the advantage of granular visibility to help them eliminate their security debt over time, deal with current vulnerabilities in a timely manner, and dramatically reduce the number of future vulnerabilities. This observability is made possible by the instrumentation approach in the Contrast platform.
This blog post just covers a portion of the findings of Contrast’s flagship annual report on the state of application security. I hope you will download and read the entire report. Other highlights include:
- 78% of active application code is custom code, while just 22% is open source.
- Contrast customers’ median time to remediation is 29x faster than what is reported by a major traditional SAST vendor.
- Contrast customers also reduced their security debt per application since last year.
- The average Contrast RiskScore declined by 1.5 points out of 10 over the past year, suggesting that the Contrast customer base is reducing its application security risk over time.
REPORT: 2021 Application Security Observability Report
PODCAST: Key Insights on Application Vulnerabilities and Attacks (New Report)
WEBINAR (Register): Key Insights and Benchmarks From Contrast’s 2021 Application Security Observability Report
VIDEO: Introducing Contrast’s 2021 Application Observability Report