The Invicti^™ AppSec Indicator

Organizations know web application security is a must and are feeling the urgency. In the past 12 months alone, 89% increased their focus in the area, and no organizations significantly reduced their focus.

But web applications are not yet showing evidence that they are better-secured. Our Spring 2021 edition of the Invicti AppSec Indicator examined the prevalence of common vulnerabilities in 3500 web applications during 2020. The prevalence of medium-severity vulnerabilities held steady year over year at 63%, while high-severity vulnerabilities actually increased in prevalence from 26% to 27% from 2019-2020. This followed several years of consistent decline.

Good news and bad news. While 76% of respondents said they were “family” or “besties” with their counterparts, 24% describe the relationship between security and development as “frenemies” or even “strangers.”

But security is less enthusiastic than development about the relationship:

• 37% of security respondents said “family” vs. 55% of developers
• 9% of security said “strangers” vs. only 6% of developers

Security incentives are increasingly aligned across organizations, but accountabilities are falling short. Leaders have work to do to bring true accountability to the question of web application security. Shared KPIs will further encourage deep alignment and collaboration among development, security, and DevOps.

Security and devs know that rapidly delivered innovation that puts vulnerable code into production can do much more harm than good. But security work is consuming developers’ time and delaying delivery. The fix: deeply integrate security into the SDLC to mitigate its impact to timelines, identify effective security tools that can be used efficiently, and hold everyone accountable for security outcomes.

With the security skills gap worsening, organizations can’t simply expect devs to have depth in security on arrival. Leaders must invest in developer training and enablement on secure coding and remediation and leverage security champions to improve effectiveness.

Although organizations have increased focus on security and started to integrate it into development and DevOps, we are still at the beginning of a journey that has, so far, unfolded incrementally. Can the dual challenges of innovation and security propel leaders to move faster?

Tight timelines. Constant pressure to innovate. Developers have their work cut out for them and security can feel like a bottleneck on delivery timelines. It’s no surprise, then, that skipping security steps is commonplace.

Now its own category in the OWASP Top 10 list of vulnerabilities, insecure design remains a vexing problem. When code is inherently vulnerable from day one, the problems flow downstream (and risk increases).

Developers are increasing their knowledge of secure design practices, but this is not yet the default approach. Among our respondents, only 42% spend most of their time remediating issues identified in the IDE, with the balance of remediation focused on issues caught during QA or in production.

In an effort to reduce the amount of vulnerable code that makes it to production, many organizations are pursuing a “shift left” approach - bringing security closer to the software development lifecycle (SDLC). But the reality is that the end state of complete shift left remains elusive in many organizations.

Only 1 in 5 respondents reported that they’ve fully shifted left, and 47% have not integrated into the SDLC at all. Another third report they’re in the “messy middle,” pointing to an overall trend that integration is lacking in web app security.

Although organizations that have integrated application security testing into the SDLC tend to report higher coverage of the attack surface, they still fall short of full coverage.

Overemphasis on shifting left can also draw resources and attention from the production attack surface. With agile models driving frequent code updates and new vulnerabilities emerging, production applications represent significant risk. To address this risk, organizations should strive to achieve coverage of 75-100% of apps.

Security, developer, and DevOps practitioners spend every day situated in the tension between shipping code fast and maintaining security. A deeper understanding of their real-world challenges can show leaders where to intervene.

The ongoing challenges of protecting their organizations from security threats have taken their toll on development and security professionals alike. Hardest hit are those in DevOps roles, likely because they are accountable for both the on-time delivery of new features and the coordination of security and quality fixes.

With stress threatening to create significant staff retention problems, organizations will struggle to meet their innovation goals. Executives cite IT talent shortages as the chief barrier to their adoption of nearly two-thirds of emerging technologies, including cloud migration, automation, and security tools themselves.

False positives - or the flagging of a vulnerability that is not, in fact, a real vulnerability - are a huge problem in web app security.

The good news is that the robots haven’t taken away everyone’s jobs. The bad news is that robots haven’t even taken away the bad parts of people’s jobs. Painstaking manual efforts to address verification of false positives draw time and energy away from more strategic security and development priorities, and come at a real cost to organizations. Our own analysis indicates that the average large enterprise may waste as much as half a million dollars every year on manual verifications.

Even the best human horsepower can’t address the challenges of web application security alone, and practitioners and developers know it. Their tools need to work much harder to ever have hope of staying on top of threats. Automation is the only way forward, but organizations are falling short on this element and the integrations that make it possible.

Who, exactly, is creating security threats? It turns out that attackers are getting an assist from some unexpected sources.

Security and development pros have enough to contend with given the threat landscape, resource constraints, and underpowered tools. But respondents face low-tech risks as well. We asked about the biggest human threats to security in their organization. The surprising finding: respondents more frequently cited human error and leadership apathy as the biggest security threats, assigning lower concern to malicious actors inside and outside their organization.

Emerging technology advancements present a double-edged sword for the future of web app security. Most of the advancements that hold promise for making things better also have the potential to increase threat when in the wrong hands. Our respondents are optimistic and pessimistic in nearly equal measure.

Organizations have set their sights on a range of technologies that promise digital transformation and speed innovation. But as they rush to embrace things like ML/AI, cloud, containerization, and increasingly sophisticated web technologies, they cannot fail to ensure their security strategy keeps pace.