They knowingly send vulnerable code despite using AppSec tools

Almost half of the organizations regularly and knowingly send vulnerable code, despite the use of tools AppSec, according to Veracode.

Among the top reasons cited for promoting vulnerable code was the pressure to meet release deadlines (54%) and finding vulnerabilities too late in the software development lifecycle (45%).

Respondents said the lack of knowledge of developers to mitigate issues and the lack of integration between tools AppSec were two of the top challenges they face with implementing DevSecOps. However, almost nine out of ten companies said they would invest further in AppSec this year.

Software development is evolving

The research sheds light on how its practices and tools AppSec intersect with emerging development methods and the creation of new priorities, such as open source risk reduction and API testing.

"The software development landscape today is evolving at a rapid pace. Gadget-based architecture, containers, and cloud applications change the dynamics of how developers create, test, and develop code. "Without better testing, integration and regular training of developers, organizations will face significant breaches," said Chris Wysopal, CTO at Veracode.

Important findings

• 60% of organizations report exploiting production applications utilized by 10 his vulnerabilities OWASP the last 12 months. Similarly, 7 out of 10 applications have a security flaw in an open source library during the initial scan.
• The lack of knowledge of developers on how to achieve the issues is the biggest challenge of AppSec. 53% of organizations provide security training for developers only once a year or less. The data show that only 1% of applications with the highest scan frequency have about five times less security costs or unresolved defects than less frequently scanned applications, which means that frequent scans help developers find and fix bugs for significantly reduce the risk to their body.
• 43% cited DevOps integration as the most important aspect of program improvement AppSec.
• 84% report challenges due to too many tools AppSec, which make it difficult to integrate DevOps. 43% of companies report using between 11-20 AppSec tools, while 22% said they use between 21-50.

According to ESG, the most effective programs AppSec mention the following as some of the crucial elements:

• Application security is highly integrated in the toolbox CI / CD
• Continuous, customized training AppSec for developers
• Monitoring of continuous improvement measurements in individual development groups
• His best practices AppSec notified by development managers
• Use of detailed data to monitor the progress of the programs AppSec and providing data to management