A recent report by Veracode that scanned over 130,000 applications flagged 76% of those apps as containing at least one security flaw. The report also found that it could take companies months to apply patches, which give more than enough time to attackers to wreak havoc. If this is already not a scary scenario, think about the streetlamp effect. We are ‘only’ reporting on the data and issues that their tools can find.
The report covers only the application-level security, it doesn’t talk about the rest of the stack. The application typically is just the tip of the iceberg. That app is only 10% of the stack. It sits on top of programming language frameworks, libraries, hypervisors, kernels, VMs, etc. Literally, there are billions of lines of code in that iceberg that’s sitting below the application.
“No matter how perfect your app [is], if you’re running on a vulnerable operating system, you’re in trouble – because the attacker will go after that operating system,” says Alex Gounares, CEO of Polyverse.
Gounares adds that DevSecOps is redefining the way we look at security, but he suggests that the easiest time to fix a bug is when a design is still on paper. The next easiest time to fix a bug is the first time you write the code. It becomes very expensive and time-consuming to fix bugs once you have that code deployed on a billion systems. “So, when you think about DevSecOps and that sort of security architecture, you have to think about the entire stack from the hypervisor all the way up to your application,” he said.