The outlook of application security in 2017

Educated guesses about the direction application security will take in 2017

We scan a lot of code at Veracode. In fact, we recently passed the 2 trillion mark for lines of code scanned. This is the code either written by or in production use by our customers.

All that scanning gives us unique insights into software security trends and patterns, such as what vulnerabilities organizations are seeing, how they are fixing them and where they are struggling. Each year, we pull those insights together into a State of Software Security (SoSS) report based on the security assessments we have performed during the preceding 18 months.

Looking at the data from 2015 and the first half of 2016, I’ve examined these patterns to develop some educated guesses about the direction application security will take in 2017.

Vulnerability fix rates improve

The organizations in our most recent study fixed about 54 percent of the vulnerabilities found during this time. This is an improvement from the fix rate in the previous year’s SoSS report, which was 51 percent. And we saw this improvement in fix rates across every industry vertical except financial services. The manufacturing sector is remediating at an 80% fix rate so we know more improvement is very do-able.

These remediation stats indicates a bigger trend of organizations starting to take application security more seriously. As breaches proliferate, and as awareness about application security and its best practices increases, I predict we will continue to see these rates improve in our next report.

Components lead to systemic risk

Unfortunately, we’re also seeing a real threat bigger than most people realize resulting from the reuse of vulnerable software components. Because of increased pressure to get code developed quickly, the use of open source components has exploded and won’t slow down anytime soon.

The applications scanned by Veracode have an average of 46 unique components, and 97 percent of all Java applications Veracode assessed in 2015 early 2016 had at least one component with a known vulnerability.

The way that developers use these components causes their vulnerabilities to proliferate more widely than anyone realized. In our most recent SoSS report, we took a comprehensive look at one vulnerable component, Apache Commons Collection 3.2.1. Within five generations, 80,323 software components were affected by the same vulnerability as ACC V 3.2.1, which, in turn, are used in the development of millions of software programs.

We found this component in 25 percent of the Java apps we scanned. When looking at all vulnerable versions of the component, we found it in 50.3 percent of Java apps scanned. Bottom line: one vulnerability in one component can affect the whole ecosystem creating widespread, systemic risk.

I’m afraid that the systemic risk created by the use of open source components will increase without more oversight. But I also think 2017 will see increasing awareness of the potential security issues of open source components and more organizations investigating solutions to get a handle on component use – hopefully before we see another Heartbleed.

Devops leads to improved security at the development stage

Devops is happening. Data from the SoSS report shows that some development teams scan applications 700 to 800 times in an 18-month period, proving that the devops model is becoming more popular.

We will see more and more organizations adopting this model in 2017. But we will also see a corresponding increase in security assessments at the development stage. There’s a lot of talk about the challenge and hurdles of securing applications in a devops environment. But I think this shift is less a security obstacle and more an opportunity for improvement.

Devops creates an environment where operational teams, developers and quality assurance all work together in continuous release cycles to produce high-quality code. It also provides development processes that offer logical and easy points to integrate security, making devops an enabler of security, rather than another hurdle.

There is a strong appetite to automate everything possible in devops. Building automated security testing into continuous integration pipelines relieves the development team of a manual step. It also drives finding and fixing closer to when the code was first written, when it is most efficient.

2017 will see an appsec transformation

There are a lot of challenges, but overall I’m optimistic about the future of appsec in 2017. It looks like appsec awareness is increasing and enterprises are starting to take deliberate steps on securing their code. They are also expecting their software vendors to do the same. The shift in development models is creating an opportunity to more easily embed security earlier into the development process. These trends will, in turn, lead to the emergence of better appsec solutions and best practices in 2017.

This article is published as part of the IDG Contributor Network. Want to Join?

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!