They knowingly send vulnerable code despite using AppSec tools

Nearly half of organizations regularly and knowingly send vulnerable code, despite using AppSec tools, according to Veracode.

Among the top reasons cited for promoting vulnerable code was the pressure to meet release deadlines (54%) and finding vulnerabilities too late in the software development lifecycle (45%).

Respondents said developers' lack of knowledge on mitigation issues and lack of integration between AppSec tools were two of the top challenges they face with DevSecOps. However, almost nine out of ten companies said they would invest further in AppSec this year.

Software development is evolving

The research sheds light on how practices and of AppSec intersect with emerging development methods and the creation of new priorities such as de-risking open source and API testing.

“Το τοπίο ανάπτυξης λογισμικού σήμερα εξελίσσεται με ταχύτητα βήματα. Αρχιτεκτονική , κοντέινερ και εφαρμογές cloud που βασίζονται σε μικροσυσκευές, αλλάζουν τη δυναμική του τρόπου δημιουργίας, δοκιμής και ανάπτυξης κώδικα των προγραμματιστών. Χωρίς καλύτερες δοκιμές, ενσωμάτωση και τακτική of developers, organizations will face significant breaches,” said Chris Wysopal, CTO at Veracode.

Important findings

  • 60% of organizations report that they exploit applications , which have been exploited by 10 his vulnerabilities OWASP in the last 12 months. Likewise, 7 out of 10 apps have a flaw to an open source library during the initial scan.
  • Developers' lack of knowledge about how to achieve issues is the biggest of AppSec. 53% of organizations provide developer security training only once a year or less. The data shows that only the 1% of apps with the highest scanning frequency have about five times less security costs or unsolved defects than the least frequently scanned apps, meaning that frequent scanning helps developers find and fix flaws for significantly reduce their organization's risk.
  • 43% cited DevOps integration as the most important aspect of improving AppSec.
  • 84% report challenges due to too many AppSec tools, which make it difficult to integrate DevOps. 43% of companies report using between 11-20 AppSec tools, while 22% said they use between 21-50.

According to ESG, the most effective AppSec programs list the following as some of the critical elements:

  • Application security is highly integrated in the toolbox CI/CD
  • Continuous, customized AppSec training for developers
  • Monitoring of continuous improvement measurements in individual development groups
  • AppSec best practices are shared by development managers
  • Use analytics to monitor progress of AppSec programs and deliver in management

iGuRu.gr The Best Technology Site in Greecefgns

every post, directly to your

Join the 2.100 registrants.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).