News

Security Report Calls for Enterprise App Lifecycle Revamp

Enterprise mobile and Web app development is riddled by security gaffes, according to a new report from WhiteHat Security, which is calling for a revamp of the development lifecycle.

The firm teamed up with NowSecure and Coalfire to identify security vulnerabilities introduced into the enterprise via traditional applications and more modern apps, including those created with agile development frameworks, microservices, application programming interfaces (APIs) and cloud architectures.

The new 2018 Application Security Statistics Report analyzed data from more than 20,000 applications. It found multiple vulnerabilities in both mobile and Web apps.

Some of the high-level findings emphasized by WhiteHat Security include:

  • The number of serious vulnerabilities continues to increase at a rate that makes remediation nearly impossible, if teams continue to rely on traditional methods.
  • Microservices are riddled with vulnerabilities, averaging more vulnerabilities per line of code than traditional ones do. However, they do have a higher remediation rate and shorter time to fix than monolithic apps.
  • 85 percent of mobile apps violated one or more of the Open Web Application Security Project (OWASP) Mobile Top 10.

Regarding the latter item, the OWASP Mobile Top 10 2016-Top 10 identifies different categories of vulnerabilities, ranging from "improper platform usage" to insecure communication, authentication, authorization and so on.

In last year's report, WhiteHat Security identified the top iOS and Android vulnerabilities, advocating the more prominent interjection of security into the DevOps lifecycle, resulting in DevSecOps.

Vulnerability Likelihood by Class
[Click on image for larger view.] Vulnerability Likelihood by Class (source: WhiteHat Security)

Also like last year's report, familiar problems rank highly in the list of top Dynamic Application Security Testing (DAST) vulnerabilities found:

  • Information leakage (45 percent)
  • Content spoofing (40 percent)
  • Cross-site scripting (38 percent)
  • Insufficient transport layer protection (23 percent)

This year's report also calls for more security in DevOps and other software development lifecycle methodologies. “Businesses are transitioning from traditional applications and legacy systems, to Web and mobile applications that are purpose-built to serve up superior customer experiences,” said Craig Hinkley, CEO of WhiteHat Security. “However, the downside of changing the software lifecycle to speed up the process is the inherent introduction of risk. Therefore, any organization that fails to build security into its app development process is willfully being left exposed to those ever-present threats.”

WhiteHat sells the WhiteHat Application Security Platform, while NowSecure sells automated mobile app security testing products, and Coalfire sells cyber risk management and compliance services for public and private enterprises.

About the Author

David Ramel is an editor and writer at Converge 360.