Connect with us

Hi, what are you looking for?


Application Security

Following Best Development Practices Does Not Always Mean Better Security: Report

While some best practices such as software security training are effective in getting developers to write secure code, following best practices does not necessarily lead to better security, WhiteHat Security has found.

While some best practices such as software security training are effective in getting developers to write secure code, following best practices does not necessarily lead to better security, WhiteHat Security has found.

Software security controls and best practices had some impact on the actual security of organizations, but not as much as one would expect, WhiteHat Security found in its Website Security Statistics Report released Thursday. The report correlated vulnerability data from tens of thousands of Websites with the software development lifecycle (SDLC) activity data obtained via a survey.

“Organizations need to understand how different parts of the SDLC affects how vulnerabilities are introduced during software development,” Jeremiah Grossman, co-founder and CTO of WhiteHat Security, said in a statement.

There was good news and bad news. As organizations introduced best practices in secure software development, the average number of serious vulnerabilities identified per Website have declined dramatically over the past two years, according to the report. There were 56 vulnerabilities per Website found in 2012, compared to 79 in 2011 and 230 in 2010.

WhiteHat defined “Serious” vulnerabilities as those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, and violate compliance requirements.

“In short, serious vulnerabilities are those that should really be fixed,” the company said.

Secure Software Development StudyAll the industry sectors—with the exception of IT and energy—found fewer vulnerabilities in 2012 than in past years. Government and banking websites had the fewest serious vulnerabilities, with an average of eight and 11 per Website found. The IT industry experienced the highest number of vulnerabilities per Website, 114 on average, in 2012.

In previous iterations of the report, the banking industry had the fewest vulnerabilities and fixed the most vulnerabilities. This year, its remediation rate was below the 61 percent average across all industries, at just 54 percent.

On the other hand, vulnerabilities aren’t being fixed immediately. On average, resolving vulnerabilities took 193 days from the time the organization was first notified of the issue, WhiteHat said. Of all the Websites tested, 86 percent had at least one serious vulnerability exposed to attack every single day in 2012, White Hat said. About 61 percent of the serious vulnerabilities were resolved. Only 18 percent of the sites tested were vulnerable less than 30 days throughout the year.

Advertisement. Scroll to continue reading.

Entertainment and media Websites were better at remediation than other sectors, with 81 percent of serious vulnerabilities resolved on average.

WhiteHat found that the existence of compliance regulations determined whether organizations were likely to resolve vulnerabilities. If compliance mandates required that vulnerabilities be fixed, the organization was more likely to fix them, but if the regulations don’t mention them, the vulnerability was more likely to remain, despite possible implications to the overall security posture of the site, WhiteHat said.

“It is apparent that these organizations take the approach of ‘wait-until-something-goes-wrong’ before kicking into gear unless there is some sense of accountability,” said Grossman.

A little over half, or 57 percent, of organizations surveyed provided some form of software security training for their developments teams. These organizations experiences 40 percent fewer vulnerabilities than organizations who did not offer training, and resolved issues 59 percent faster. About 39 percent of organizations claimed to perform some kind of static code analysis on their Websites and applications, and they experienced 15 percent more vulnerabilities while resolving them 26 percent slower. Finally, 55 percent of organizations reported having a Web Application Firewall in place. These organizations tended to have 11 percent more vulnerabilities and resolved them 8 percent slower than average.

“This collective data has shown that many organizations do not yet consider they need to proactively do something about software security,” Grossman said, before adding, “This needs to change.”

The full report from White Hat Security is available here.

Related: 71% of Apps Use Components With Severe or Critical Security Flaws

RelatedExperts Debate –  Is Software Security a Waste of Time?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.