The number of vulnerable applications is incredibly high, but implementing DevSecOps has proven to be effective in mitigating flaws.
DevSecOps is improving software security by providing companies with flaw persistence analysis, according to CA Veracode's State of Software Security report released on Wednesday. The study measures how long flaws remain open after they are first discovered.
Some 69% of flaws were closed via remediation or mitigation, an improvement of nearly 12% since the last report, according to the Wednesday press release. The progress shows that organizations are taking strides in closing newly-found vulnerabilities, which hackers target, the release said.
SEE: Quick glossary: DevOps (Tech Pro Research)
While improvements have been made, the number of vulnerable apps is still significantly high, with open source components presenting major risks to businesses, said the release. The study found that more than 85% of all applications have at least one vulnerability, and more than 70% of all flaws still exist one month after being discovered, the release added.
However, 25% of flaws were fixed within 21 days of discovery, said the release. Even though vulnerabilities still run rampant, the report confirmed a firm correlation between high rates of security scanning and lower application risks long term, which shows the effectiveness of DevSecOps, said the release.
The companies with established DevSecOps programs and strategies address flaws much faster than organizations without security procedures, said the release. Active DevSecOps programs repair flaws more than 11.5 times quicker, because of regular security checks during continuous deliveries of software builds, the release said.
"Security-minded organizations have recognized that embedding security design and testing directly into the continuous software delivery cycle is essential to achieving the DevSecOps principles of balance of speed, flexibility and risk management. Until now, it's been challenging to pinpoint the benefits of this approach, but this latest State of Software Security report provides hard evidence that organizations with more frequent scans are fixing flaws more quickly," said Chris Eng, vice president of research at CA Veracode, in the release. "These incremental improvements amount over time to a significant advantage in competitiveness in the market and a huge drop in risk associated with vulnerabilities."
The big takeaways for tech leaders:
- Companies with strong DevSecOps programs will locate and mitigate flaws 11.5 times faster than companies without such programs. — CA Veracode, 2018
- The number of vulnerable applications remains incredibly high, with 85% of all applications having at least one vulnerability, but implementing DevSecOps is the best way to keep a company protected. — CA Veracode, 2018
- How to build a successful career as a DevOps engineer (free PDF) (TechRepublic)
- CA Technologies acquires SourceClear in DevSecOps push (ZDNet)
- How to become a DevOps engineer: A cheat sheet] (TechRepublic)
- DevSecOps: What it is and how it can help you innovate in cybersecurity (ZDNet)
- DevSecOps teams securing cloud-based assets: Why collaboration is key (TechRepublic)