The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Consolidate insight to enhance risk management

Charlotte Freeman

Dec 05, 2023 / 5 min read

More software, more tools, more risk

As the digital revolution has unfolded, the dramatic increase in the amount of code written, borrowed, and bought means that the attack surface has also increased dramatically. Software proliferation creates challenges for teams that must keep up with innovation while also securing their software. To address the threat that  security breaches pose, many firms have added multiple point tools throughout their software development life cycle (SDLC), yet gaining complete insight across these tools remains a persistent challenge. Businesses struggle with too many tests, too many tools, and too many findings, which hinder their ability to ship software quickly. In a budget-conscious economy, this is why you’re hearing so much right now from business and software experts  about security tools and vendor consolidation.

Consolidating vendors and security tools addresses three primary concerns plaguing businesses across all industries: growing complexity, diminished risk management, and resource inefficiencies that raise total cost of ownership (TCO). The profusion of AppSec tests and tools generates SDLC friction, increases development times, adds error and security risks, and leaves organizations struggling to scale and integrate new technologies.

Software vulnerability report data supports multilayered security

The recently published 2023 Software Vulnerability Snapshot report from Black Duck uses anonymized data from three years of tests on commercial software systems and applications to demonstrate that while there has been a significant decrease in vulnerabilities found in target applications—from 97% in 2020 to 83% in 2022—persistent vulnerabilities remain and pose significant challenges to web and software application security.

The report reinforced that organizations need a multilayered security approach that combines static application security testing (SAST) to identify coding flaws, dynamic application security testing (DAST) to examine running applications, software composition analysis (SCA) to identify vulnerabilities introduced by third-party components, and penetration testing to identify issues that might have been missed by internal testing. With more attackers using automated exploitation tools that can attack thousands of systems in a matter of seconds, fixing high- and critical-risk vulnerabilities is urgent, not least because well over half of reported vulnerabilities are exploited within a week of disclosure.

 

The report found that

 

  • High-severity vulnerabilities are less likely: On average over the past three years, 92% of the tests uncovered some form of vulnerability. However, only 27% of those tests contained high-severity vulnerabilities, and 6.2% contained critical-severity vulnerabilities.
  • Leaked information continues to be a top risk: The top security issue that was uncovered has remained unchanged from 2020 to 2022—information leakage, a major security issue occurring when sensitive information is exposed to unauthorized parties. An average of 19% of the total vulnerabilities were directly related to information leakage issues.

  • Cross-site scripting is on the rise: Of all high-risk vulnerabilities found in 2022, 19% were found to be susceptible to cross-site scripting attacks.
  • Third-party software poses increased risks: Among the top 10 security issues in 2022, 25% of the tests conducted found vulnerable third-party libraries to be a risk. Software is likely vulnerable if you do not know which components are in use, including third-party and open source components.

The report also found that inadequate security training is a major roadblock to security, as is the shortage of security personnel. When you combine this with a threat landscape that is growing in size and sophistication, ensuring your AppSec program is efficient and effective is critical.

The findings from the report suggest that covering the critical testing types is necessary for it to be effective, but doing so without slowing down development or lengthening time to triage and remediate is where organizations struggle. This is where consolidation presents as an important initiative to help your organization not only to improve resource efficiency during a time of strained budgets, but also improve your overall risk posture.

Consolidate insight to manage multilayered security

So now that we can see the importance of a multilayered approach to AppSec, the question remains, how do you gain consolidated insight across your entire enterprise security landscape when risk data continues to live within point tools and teams?

If you approach your consolidation initiative by first adding a layer of abstraction between the development team and the security tools you are using, you can achieve three core goals for your AppSec program. First, you remove the burden of the development team to learn multiple UIs and let them continue to work within the tools they already know. Second, you remove the burden on the AppSec team to implement standard and consistent policies across each of the point tools being used by the different development teams across the company. And third, and quite importantly, with all your security tools running through one place, you gain a single source of truth for what was tested, what was found, what was fixed, and what your overall risk is at any point in time.

This layer of abstraction is one of the key benefits of application security posture management (ASPM) tools. They act as a translation layer between AppSec and development, so AppSec teams can continue to control and implement policies, SLAs, dashboards, and reporting, and development can quickly understand what needs to be fixed and how.

An ASPM tool will aggregate, normalize, and prioritize findings across all security tools in one centralized location. This will reduce noise for development teams so they can focus on what to fix, in what order, and by what date, enabling them to keep the development process moving. Identifying and prioritizing critical issues with an accurate business context of applications, components, and associated security data provides teams with an actionable picture of overall software risk at any point in time.

Consolidation with Black Duck

Black Duck offers the most comprehensive portfolio in application security, including market-leading solutions in the “big three”: SAST, DAST, and SCA. Our ASPM solution is an open ecosystem, so you have the flexibility to use the existing tooling across your entire security program. Black Duck is a one-stop partner for application security.

Report

Software Vulnerability Snapshot

Get insights into the current state of security for web-based apps and systems, including the potential impact of security vulnerabilities on business operations in high-risk sectors.

Continue Reading

Explore Topics