Contrast Security Study Highlights Lower Application Security Debt Equates to Reduced Risk

2021 Application Security Observability Report from Contrast Labs also reported a 31% jump in serious vulnerabilities and a 29% increase in likelihood of attacks on vulnerabilities

A new study by Contrast Security reveals that customers using the Contrast Application Security Platform achieve median time to remediate vulnerabilities that are resolved nearly 29 times faster than legacy application security solutions (3 days versus 86 days). Faster remediation of vulnerabilities translates into reduced security debt and risk, with Contrast customers reducing their vulnerabilities-per-application backlog by 19% over the last year. Organizations with smaller vulnerability backlogs are able to remediate vulnerabilities 58% faster than other organizations, which also equates to lower risk. 

The report also discovered that vulnerability prevalence for Contrast customers shrinks dramatically following deployment, which is described as vulnerability escape rate (VER). An average of 6 new serious vulnerabilities and 12 new vulnerabilities, in general, are introduced into applications during the first two months of Contrast deployment. This VER is cut in half to 3 and 6, respectively, after nine months and reduced almost altogether to 0 and 1, respectively, after one year. 

The 2021 Application Security Observability Report is based on aggregate telemetry data — between July 2020 and June 2021 — compiled by Contrast Labs from thousands of real-world applications, application programming interfaces (APIs), and third-party libraries across numerous industries and enterprises protected by the Contrast Application Security Platform — Assess, OSS, and Protect. The data reflects vulnerabilities and attacks that organizations can use to assess their application risk and enhance their security protocols.

Serious Vulnerabilities Rise, Targeted Attacks Increase

Per the study, application vulnerabilities remain a concern. The prevalence of applications with serious vulnerabilities increased 28% over last year — accounting for almost 4 in 10 of all vulnerabilities. Further, the percent of applications with at least one serious vulnerability increased 8%, to 34% of all applications. Vulnerability types with the biggest jumps included broken access control and insecure configuration. Sensitive data exposure, broken authentication, and insecure configuration vulnerabilities had the highest rates of prevalence. 

On the upside, the report revealed good news on attacks that are viable (viz., connect with a vulnerability that can be exploited), which declined to 1% from 2% over last year. Yet, there was also bad news on the attack front, with the overall volume of attacks on application vulnerabilities increasing 7%. SQL injection, broken access control, cross-site scripting, command injection, and expression language injection all increased 9% or more. Attack volumes across languages varied. For Java applications, expression language injection vulnerabilities saw the biggest jump (18%), while cross-site scripting (19%) and insecure deserialization (10%) experienced the largest increase in .NET applications.

"Findings in this report demonstrate that both custom and open-source code present significant risk," said Jeff Williams, CTO and co-founder at Contrast Security. "Organizations must be diligent in analyzing their software for vulnerabilities and protecting those applications from malicious attacks. But, as the adoption of software accelerates, legacy application security approaches are being pushed far past their limits. In response, a modern platform-based solution is necessitated, one that is scalable, accurate, and fully automated and shifts security left in development while extending it right in production." 

Focus on Application Code That Poses Risk

Not all application code is the same when it comes to securing what matters. Applications are composed of two major categories of code: custom code and open-source libraries. The majority of the open-source code is "inactive" or "dead" code that is never invoked at runtime and presents no risk. When we focus on "active," we find that 77% of the code is custom code and only 23% is code from open-source libraries. Interestingly, 62% of open-source libraries included in an application are never invoked at all.

Applications and APIs written in Java and .NET both contain an average of 20% custom code; the remainder is open-source code. For Java applications, fewer than 37% of open-source libraries are active and 25% of the classes in those libraries are inactive. For .NET applications, 12.5% of active open-source libraries are active and 57% of classes in those libraries are inactive. 

"What this tells us is that not all application code poses a risk," said Williams. "Inactive open-source libraries and frameworks that are never invoked can't be exploited and don't create any risk. Vulnerabilities in inactive libraries are false positives that waste development team time and effort. Developers and security teams should focus on libraries that are both vulnerable and actually run."

Route Intelligence Reveals Ubiquitous Risk, Importance of Prioritizing Remediation

Contrast provides a unique view of application security by "route" that is organized by exposed attack surface. On average, over 84% of all application routes were exercised at least once, and 57% are exercised each month. Over the past year, Contrast found that 68% of applications secured with Contrast Assess achieved 80% coverage in 12 months. Further, the report found that both exercised and unexercised routes pose risk: an average of 82% of applications expose routes with vulnerabilities. 

"Understanding routes is the key to putting vulnerabilities in context, ascertaining risk, and identifying the right developer to remediate problems," said Williams. "It's scary how many applications expose routes that are unknown to development, testing, and security teams. These unknown routes represent tremendous risk, as they often unintentionally expose administrative, debug, and other powerful features. Understanding how vulnerabilities are associated with individual routes enables developers to quickly and easily identify the cause of a vulnerability and fix it."

REPORT: 2021 Application Security Observability Report

PODCASTS: Key Insights on Security Debt and Vulnerability Escape Rate Trends

Key Insights on Application Vulnerabilities and Attacks

Key Insights on Application Makeup: Custom and Open-source Code

BLOG POSTS: Telemetry Shows That Custom Code Makes Up 78% of Active Code

Contrast Customers Hit Remediation Milestone Nearly 29x Faster Than Traditional Approaches

WEBINAR: Key Insights and Benchmarks from Contrast's 2021 Application Security Observability Report 

About Contrast Security:

Contrast Security provides the industry's most modern and comprehensive Application Security Platform, removing security roadblock inefficiencies and empowering enterprises to write and release secure application code faster. Embedding code analysis and attack prevention directly into software with instrumentation, the Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides context-specific how-to-fix guidance for easy and fast vulnerability remediation. Doing so enables application and development teams to collaborate more effectively and to innovate faster while accelerating digital transformation initiatives. This is why a growing number of the world's largest private and public sector organizations rely on Contrast to secure their applications in development and extend protection in production.

Contact:
Contrast Security
Jacklyn Kellick
[email protected]

Source: Contrast Security

Share:


Tags: AppSec, Cybersecurity, Developer, Vulnerabilities