Vulnerabilities a routine part of web application releases, survey finds

Invicti research has revealed that releasing web applications with known vulnerabilities is almost a standard operating procedure for a large majority of organizations. The Fall 2022 edition of the Invicti AppSec Indicator shows that companies are struggling with alert noise – but also determined to get a grip on their web application security in 2023.

Vulnerabilities a routine part of web application releases, survey finds

Teaming up once again with Wakefield Research for the Fall 2022 edition of the Invicti AppSec Indicator, we’ve found that 74% of companies frequently or routinely release software that contains unaddressed vulnerabilities. This is just one of many alarming data points in this year’s report, alongside clear evidence that alert overload allows exploitable security defects to slip past. On the upside, the data also reveals some of the reasons behind these security shortcomings and suggests that organizations are slowly but surely getting their security posture under control with increased budgets and a drive toward modern dynamic application security testing (DAST).

When in doubt, release: Deadlines still trump security concerns

Exactly a year ago, our Fall 2021 AppSec Indicator survey found that, under pressure to innovate and release on schedule, 70% of organizations often or always skipped some security steps. Digging deeper into this worrying trend, this year we asked up front: how often do you release software with known vulnerabilities? The answers confirmed our suspicions that application security routinely plays second fiddle to business demands, with 74% of respondents saying they often or always release vulnerable applications – and only 4% confident that this happens rarely or never.

The questions were different, yet the numbers are similar: over two-thirds of organizations are unable to find and remediate application security issues without affecting their development and release plans. A multitude of reasons conspires to undermine the importance of security, with respondents naming tight release schedules and inadequate tooling and skill sets among the major challenges. However, the top answer, at 45%, was that addressing vulnerabilities isn’t a priority, suggesting that nearly half of companies are not confident in their ability to keep applications secure without compromising the development process.

Alert noise is real and obscures exploitable vulnerabilities

This year’s AppSec Indicator also sheds light on the possible reasons for this lack of confidence in existing application security processes – and it turns out that the alert noise generated by low-quality security reports is a major contributor. With false positives being the most obnoxious type of security false alarm, we asked DevSecOps professionals how often they have to deal with them. Their responses confirm that false positives are a permanent fixture of vulnerability reports, with 67% saying they discover false positives often or all the time and not a single person saying they have never seen one.

The noise generated by redundant alerts not only makes for more work but also increases risk by obscuring real issues. We’ve written about this in the past and now have yet more numbers to prove it. Specifically, 82% of this year’s respondents stated that their teams mistake an exploitable vulnerability for a false positive at least once a week – and 97% said this happens at least once a month. This confirms that alert noise is a real issue that carries real dangers. 

Even a single critical vulnerability in a production application greatly increases the risk of successful attacks. At this rate, some organizations could be looking at multiple vulnerabilities getting into production releases only because their existing tools and processes generate too many false alarms.

Companies look to DevSecOps to cure their AppSec headaches

While it is clear that all is not well, many organizations are taking the initiative and looking for more efficient and integrated approaches to application security. In our study, 42% of companies listed implementing security-centric workflows such as DevSecOps as one of their top two AppSec investment priorities. For the same question, 38% named more modern security testing tools among their top priorities, and 33% listed better developer security education – all ways to improve web application security across the entire software development lifecycle.

In terms of tooling, nearly all (97%) of companies indicated that investing in DAST technologies is a high priority for them in 2023, with over half (53%) calling it their top priority. All surveyed organizations already use DAST at least in production, with 39% relying on it heavily in that role, and DevSecOps efforts are likely to see DAST also used more often at earlier stages of the pipeline. This makes tool quality and selection critical to avoid flooding developers and security teams alike with yet more unreliable vulnerability reports that generate a lot of work for little benefit.

ROI pressures, cybersecurity budgets, future fears, and more

The Fall 2022 AppSec Indicator paints a nuanced picture of challenges and aspirations in application security. On the one hand, we clearly see organizations struggling to find and remediate security issues, with most of them resigned to accepting security risks at least some of the time just to avoid release delays. On the other hand, we are also hearing loud and clear that improvements to AppSec workflows, ROI reporting, security tools, and developer education are high on the agenda for 2023, so companies are definitely not taking this lying down.

Read the full report for insights into the shape of security budgets, expert opinions on the current and future state of the industry, and the hopes and fears of application security professionals – get the Fall 2022 Invicti AppSec Indicator: Tuning Out AppSec Noise is All About DAST.

To get the expert take on this research, join Invicti Chief Technology Officer and Head of Security Research, Frank Catucci, on November 17th, 2022, for a live webinar to discuss the report’s findings and insights – register here.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.