32 app sec stats you should be tracking

As numerous recent surveys have shown, application security continues to be a work in progress at many organizations. Despite heightened awareness of the critical need to address security vulnerabilities earlier in the product development lifecycle, many organizations continue to emphasize shorter software release cycles over secure development and vulnerability mitigation practices.

In this roundup, we have gathered statistics from multiple survey-based reports and research studies to give you a quick snapshot of the most important trends and practices in the application security landscape. Though the statistics come from myriad sources and reflect the opinions of security practitioners and technology executives from around the world, they show a remarkable similarity in the level of concern over the current state of application security.

Download 22-Page GuideApp Security Buyer's Guide + Sample RFP

Here are 32 of the most significant application security stats you need to be tracking:

Non-mobile application security

20: The median number of vulnerabilities in applications

The median number of vulnerabilities discovered over the course of 574 data breach investigations is more than three times higher than the median of six vulnerabilities per app tested in 2013. This suggests either that developers are doing a poorer job or that bug discovery tools and processes are getting better.

Source: 2015 Trustwave Global Security Report

Make no mistake, the sheer vulnerability of organizations and the ease by which attackers can strike is a hair-raising predicament with no guaranteed solution. So what are the options? Understanding how your adversaries operate is a good place to start. —Trustwave 

72%: The proportion of web apps that have at least one encapsulation flaw

Web application developers continue to struggle with issues such as privilege escalation errors that have been well documented and well understood for years, suggesting that old habits truly die hard in the software industry. In fact, the five most common vulnerabilities in applications were the result either of encapsulation errors or weaknesses in security functions or the operating environment.

Source: HPE Cyber Risk Report 2016

No. 1: The position occupied by XSS and DoS vulnerabilities 

Web applications continue to be plagued by cross-site scriptng (XSS) and denial-of-service (DoS) vulnerabilities. Highlighted in a list of the top ten web app vulnerabilities compiled by Acunetix, close to 40 percent of websites studied had these flaws. SSL-related vulnerabilities of the sort highlighted by Heartbleed and Poodle were the third most commonly encountered issue in the Acunetix report.

Source: Acunetix Web Application Vulnerability Report 2015

The fact that half of the web applications scanned contained a high security vulnerability such as XSS or SQL Injection and 4 out of 5 contained a medium security vulnerability such as Directory Listing or POODLE, demonstrates that over 50% of the organizations scanned would fail at PCI Compliance. —Acunetix

90%: Percentage of web apps with vulnerabilities caused by security functions

Authentication, access control, encryption, and similar functions are supposed to make applications more secure. Instead, more often than not, they end up introducing security vulnerabilities in the product because of implementation and other errors.

Source: HPE Cyber Risk Report 2016

16,081: Total number of vulnerabilities detected in 2015 in 2,484 applications

Flexera Software’s annual review of vulnerabilities in applications and systems used by customers of its monitoring service showed a modest, 2 percent increase in security vulnerabilities compared to 2014 and a 39 percent increase over the preceding five-year period. The vulnerabilities existed in software products from a total of 263 vendors being used by Flexera’s customers.

Source: Vulnerability Review 2016, Flexera Software

72: The average number of malicious requests associated with a typical SQL injection attack

An analysis of 297,954 attacks on 198 applications protected by Imperva Web Application Firewalls showed half of the apps being targeted by more than 20 SQL injection attacks in a six-month period. The most intensive attack involved 400,000 malicious requests.

Source: 2015 Web Application Attack Report, Imperva

10%: Proportion of applications with hard-coded passwords 

More than five years after Stuxnet served up an abject lesson on the dangers of having hard-coded passwords, a surprisingly large number of applications still have them. Such passwords give attackers an easy way to gain complete administrative access on a vulnerable system.

Source: HPE Cyber Risk Report 2016

79%: The percentage of vulnerabilities in common non-Microsoft enterprise apps

Microsoft applications were responsible for only 21 percent of the vulnerabilities in the most popular enterprise apps used by Flexera’s customers. This suggests that organizations need to pay more attention to their non-Microsoft software.

Source: Vulnerability Review 2016, Flexera Software

45%: The percentage of organizations that plan to spend more on application security in the next 12 months

Small budgets appear to be a major barrier to improved application security, finds a UBM Tech survey of 185 business technology professionals. Other factors include a lack of support from management and a shortage of skilled resources.

Source: Application Security Trends, UBM Tech for HPE

A relatively high 58% of survey respondents said their efforts to launch new application security initiatives or improve upon existing ones were being hampered by a lack of support from management. Fifty five percent blamed the situation on a lack of skilled manpower. It’s actually somewhat surprising that this number isn’t even higher. —UBM Tech

79%: Percentage of organizations that focus their defenses primarily on public-facing websites

With application security resources being scarce, organizations are prioritizing the manner in which they allocate them. Mobile applications, applications inside private clouds, and on-premises commercial applications are some of the other top area of focus for application security spending.

Source: 2015 State of Application Security: Closing the Gap, SANS Institute

50%: The number of organizations that do not have an application vulnerability management program

Organizations without a vulnerability management program often have a harder time detecting, assessing, prioritizing, and remediating security weaknesses compared to those that do have one. Yet a new report shows that only about one-half of all organizations have a formal vulnerability management program.

Source: 2015 Enterprise Vulnerability Management Trends Report, Skybox Security

Mobile application security

65%: The percentage of respondents who felt that ‘rush to release’ software results in more mobile app vulnerabilities

The rush to meet customer demands for new functionality is taking a toll on mobile application security, a survey of 640 developers has found. Nearly four in ten of the respondents said their organizations do not scan for mobile application vulnerabilities. Mobile apps are tested only infrequently for security issues and often too late.

Source: The State of Mobile Application Insecurity, Ponemon Institute for IBM

6.5: The median number of vulnerabilities in mobile apps tested

Mobile applications continue to remain dangerously buggy. In this study of 574 breach investigations, a staggering 95 percent of all mobile apps recently tested for security weaknesses were vulnerable. About 35 percent had critical issues, while 45 percent had what were considered high-risk security issues.

Source: 2015 Trustwave Global Security Report

 $1,859,688: The average spent by large organizations on mobile app security yearly

The average annual budget for mobile application development at large enterprises is about $33,812,500 (extrapolated). Barely 5.5 percent of that amount is reserved for mobile application security, highlighting the relatively low priority placed by many organizations in this critical area.

Source: The State of Mobile Application Insecurity, conducted by Ponemon Institute

Most spending is allocated to reducing vulnerabilities and threats from proprietary software (36 percent) followed by open source software (21 percent). ... Only 11 percent is spent on pen testing to reduce threats from insecure mobile apps. —Ponemon Institute

98%: The proportion of mobile apps that lack binary code protection

Most mobile apps are dangerously vulnerable to malicious modifications and reverse engineering because they do not have binary code protection. More than nine in ten are also vulnerable to data and identity theft because of poor transport layer security controls.

Source: State of Application Security: Mobile Finance & Payment Apps. Arxan Technologies

81%: The proportion in a survey who would change their mobile app vendor because of security

Security is becoming an increasingly important decision factor in mobile app purchases by enterprises and consumers. Vendors run the risk of losing customers over poor security, according to the survey of 1,083 individuals in the US, Germany, the UK, and Japan. Increasingly, enterprises are prepared to change vendors if a similar app is known to be more secure.

Source: 5th Annual State of Application Security Report, Arxan Technologies

51.1%: The percentage of mobile applications that access geolocation data

The tendency by many mobile applications to indiscriminately collect and store geolocation, contact, and calendar data presents a major privacy threat for users. The data that is collected often exceeds the requirements of the application and is accessible to unauthorized third parties.

Source: Mobile Application Security Report 2016, Hewlett Packard Enterprise

"The risks of collecting geolocation data may not be immediately apparent, but recent headlines demonstrate how it can be disastrous. The Ashley Madison breach in 2015 is one of the more widely-publicized examples of data collection gone awry—their storage of geolocation data allowed a reporter to pinpoint the location of otherwise anonymous users." —HPE

94.8%: The share of mobile applications that log data

Logging can help developers find and correct buggy code during the application development process. But on a user's device, unnecessary logging can expose account credentials, device information and sensitive and personally identifiable data.

Source: Mobile Application Security Report 2016, Hewlett Packard Enterprise

Open-source application security

78%: The portion of organizations that use open-source software

With security concerns over open source code waning considerably over the years, more organizations have begun using open-source software to run their applications, including critical ones. In fact, 88 percent of organizations expect their companies to increase contributions to open-source projects in the next two to three years.

Source: 2015 Future of Open Source Survey, North Bridge

97%: The number of scanned Java apps in 2015 that had code quality errors

Despite increased enterprise use of open-source software, code quality remains a major concern. Sloppy coding practices such as using obsolete or deprecated functions, dead code, and confusing naming continue to be an issue with open-source software. While poor code quality does not always mean poor security, they often go hand in hand.

Source: Cyber Risk Report 2016, Hewlett Packard Enterprise

A comparison of the security issues in commercial apps and those in open-source applications suggests that developers of commercial software are generally doing a better job at security than their open-source counterparts. —HPE

82%, 87%: The percentage of Java and PHP applications, respectively, with vulnerabilities related to security functions

Just as with web applications, security features that are designed to make the applications safer often end up making them more vulnerable instead. Features that developers often include to bolster software security, such as those for authentication and access control or for encryption and privilege management, often end up becoming a source of vulnerabilities themselves.

Source: Cyber Risk Report 2016, Hewlett Packard Enterprise

97%: The proportion of PHP apps with input validation errors

PHP apps tended to have cleaner code overall compared to Java apps. But that does not make them immune from security problems. For example, a recent study by HPE showed nearly all of them having some sort of input validation errors such as SQL injection and buffer overflow errors.

Source: Cyber Risk Report 2016, Hewlett Packard Enterprise

Application security testing 

59%: The percentage of respondents whose organizations use penetration testing and dynamic scans

Enterprises tend to use penetration testing and dynamic scanning more often than any other methods for testing the security of their application code. Other methods include static vulnerability scans (54 percent), code reviews (42 percent), secure software development lifecycle processes (42 percent), and mobile application testing (36 percent), according to a survey of 185 business technology professionals.

Source: Application Security Trends, UBM Tech

28%: The fix rate advantage for static vulnerabilities over dynamic vulnerabilities

The choice of application security assessment type can have a direct impact on an organization’s ability to find and fix flaws. While no single assessment type is enough, static scans have a way of giving developers more actionable data. A study by Veracode showed that developers on average fix 64 percent of flaws discovered through static analysis compared to 50 percent of dynamic vulnerabilities.

Source: State of Software Security Report, Veracode

There are several possible reasons why static analysis observed a higher fix rate. The most likely is that static provides higher fidelity data about the root cause of a vulnerability, including source file and line number. But there are other possibilities, including the likelihood that a static assessment is being run on an application that is actively under development and that engineering therefore already sees fixing issues as a priority, where dynamic assessments may be run on a production system where the development team may not be actively engaged. —Veracode

83.2%: Percentage of organizations that use an internal security team for application security testing

Organizations tend to rely heavily on their internal teams for application security testing, but not solely on them. Other commonly used resources include external security consultants (29.6 percent), quality assurance teams (22.4 percent), development teams (21.6 percent), and security-as-a-service providers (21.6 percent).

Source: 2015 State of Application Security: Closing the Gap, SANS Institute

40%: Share of IT spend that will be allocated to application quality assurance and testing by 2018

A global market research study of over 1,500 IT leaders showed a growing recognition of QA and testing as vital to application security. QA and testing budgets in 2015 increased 9 percent year over year compared to 2014.

Source: World Quality Report, 2015-2016, Capgemini 

80%: Percentage of respondents in a Capgemini survey who said the top priority of their QA efforts was to improve application security

Organizations are paying greater attention to the impact of IT quality on security and the end-user experience overall. In addition to security, the other top priorities for QA and testing include improving customer experience, cost optimization of IT, and overall improvement in software quality.

Source: World Quality Report, 2015-2016, Capgemini

The rush to release is affecting security 

43%: The proportion of developers who released apps with known vulnerabilities at least 80 percent of the time

Regardless of development methodologies like Scrum, agile and Crystal, the typical software release cycle in many organizations is now one week or less, pushing many developers to take shortcuts, the survey found. The rush to release is having a direct impact on application security.

Source: The Impact of Security on Development, Prevoty

85%: The share who say that flaw remediation would hurt their ability to deliver apps and new feature sets on time

With the constant pressure to decrease software release cycles, a growing number of developers have begun viewing best practices such as vulnerability remediation as burdensome and time-consuming. Business pressure to release new applications and application updates often push aside security best practices.

Source: The Impact of Security on Development, Prevoty

80%: Proportion of developers who worry clients won’t trust their products if informed about vulnerabilities

Concerns over losing client trust often inhibit developers from disclosing known vulnerabilities in their products. This often results in applications being released with known vulnerabilities in them.

Source: The Impact of Security on Development, Prevoty

"[Nearly] 80 percent of developers worry that their clients won’t trust their applications if they admit there is a security flaw. Add the pressure of fast release cycles with the pressure to adhere to industry demands, and developers are working under multiple constraints at breakneck speeds to release new enterprise applications." —Prevoty

Security and application programming interfaces (APIs)

65%: The percentage of respondents who reported not having processes for API data security

The security of APIs consumed by enterprise applications is becoming a growing concern for many. A growing number of enterprises are taking steps to control access to APIs, but not enough are paying attention to the security of data consumed by applications accessing their APIs. 

Source: Managing API Security Risks, Akana

53%: Portion of respondents who say DDoS, SQL injection, and XML bombs are their biggest API security concerns

The relative lack of security around APIs has spawned a broad range of concerns. In addition to DDoS, SQL injection, and XML bombs, other concerns cited by respondents in a survey of 250 IT security professional included XML firewall and message-level security (43 percent), cross-site scripting (38 percent), and XML attacks (37 percent). Brute force, phishing, and impersonation attacks were other significant concerns. 

Source: Managing API Security Risks, Akana

Which application security statistics matter most to your organization? Share your number-crunching with your security peers in the comments section below. 

Download 22-Page GuideApp Security Buyer's Guide + Sample RFP

Image credit: Flickr

Topics: Security