Contrast’s “2020 Application Security Observability Report” provides insights gleaned from analysis of aggregate telemetry generated from applications during development, testing, and operations from Contrast Security customers between June 2019 and May 2020.
Key findings include:
• Vulnerabilities. Nearly all applications have at least one vulnerability, and more than one-quarter have a serious one. 11% of applications have more than six serious vulnerabilities. Well over half of applications have insecure configuration and sensitive data exposure vulnerabilities. Notably, twice as many Java applications have at least one serious vulnerability than .NET ones.
• Time to remediation. Contrast customers achieved a median time to remediate of seven days as compared to 121 days for customers of one static application security testing (SAST) vendor. The differences are even more dramatic when serious vulnerabilities are examined, with 25% being remediated in one day and 75% in 16 days. This faster remediation time translates into both lower risk and security debt—with Contrast customers achieving a median time to remediation of just one day. At the same time, customers with below-average security debt (viz., fewer vulnerabilities) see a 1.7x better risk posture than all customers.
• Open-source libraries. The average application has content from 32 different libraries, though only 45% of those libraries are actually used by the application. The top Common Vulnerabilities and Exposures (CVEs) for software written in Java have significantly higher Common Vulnerability Scoring System (CVSS) scores than the CVSS scores for the top .NET CVEs, suggesting higher risk for Java applications. Organizations should manage open-source libraries in such a way that the versions they use do not put them at risk, as the use of older versions can result in increased security debt.
• Attacks. On average, each application endured more than 13,000 attacks per month in the past year, with injection, cross-site scripting, and broken access control topping the attack-vector list. Fortunately, 98% of attacks do not hit an existing vulnerability. The high volume of attempts to infiltrate applications accentuates the need to effectively prioritize remediations and take steps to block attacks on applications in production. Organizations can protect themselves by taking a strategic, risk management-based approach to application security. This means prioritizing vulnerabilities according to the risk they pose, which requires organizations to have actionable data not only at an industry level but also for the specific organization.
Download the full report today by clicking on the button to the right-hand side.