Scaling rapidly? Your application security strategies need to keep up

Modern application security strategies must support and enable modern software development, even as it rapidly scales, according to Mend.io.

Just 52% of companies can effectively remediate critical vulnerabilities and only 41% are confident they can manage the security and compliance risks associated with open-source components.

Efficient remediation key to application safety

“Barely half of organizations can effectively remediate critical vulnerabilities. That’s concerning,” notes Melinda Marks, Practice Director, Cybersecurity, Enterprise Strategy Group. “This means the other 48%t are at serious risk from malicious attacks, including malware, ransomware, and data loss.”

Crucially, effective remediation pays off when it comes to the most important key performance indicator: application safety. Companies that report the ability to efficiently remediate vulnerabilities were nearly twice as likely to say they have not experienced any serious security incidents tied to a software vulnerability/web application exploit in internally developed applications over the last 12 months.

The research also revealed important trends and best practices among companies that can effectively remediate vulnerabilities. “We wanted to know what companies could learn from the 52% who can effectively remediate a vulnerability,” Marks says, “so we did the analysis and identified several best practices.”

Application security is a business risk

These findings are particularly concerning given heightened board level security and business risk. In fact, 85% of survey respondents say application security is a board-level priority, with good reason.

Surveyed organizations have experienced an average of ~3 serious security incidents resulting from a software vulnerability. And 70% of organizations have directly encountered at least one serious security incident from a software vulnerability in the last 12 months.

For those who’ve experienced a security incident in the past 12 months, consequences included application downtime (46%), unauthorized access to applications or data (38%), malware (34%) and data loss (34%).

Modernization demands equally modern security approaches

Survey findings indicate key patterns among the organizations that could efficiently remediate critical vulnerabilities compared to those who could not. The research shows that effective programs:

• Have more fully embraced DevOps. Organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to report they have extensively embraced DevOps (46% vs. 20%).
• Have more extensive DevSecOps adoption and automation of security workflows. These organizations have more often automated the identification and remediation of configuration and software vulnerabilities before deployment to production (78% vs. 61%).
• Prioritize open source vulnerabilities. Organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to report that they treat all open source vulnerabilities in their apps as “must fix” (60 % vs. 28%).
• Know what’s in their code. Organizations able to efficiently remediate vulnerabilities were also more likely to say they view being able to answer questions about their code, like what is its source, as critical (49% vs. 31%).

“As businesses modernize their development processes to increase productivity, security must keep pace,” said Rami Sass, CEO, Mend.io. “This research has revealed important insights that show progress is being made when it comes to best practices. Those organizations that embrace DevOps, utilize modern tools to automate security workflows, prioritize open source vulnerabilities, and understand what’s in their code demonstrate a stronger ability to effectively manage application risk and security.”