Study Shows Human Error is a Leading Factor and Suggests Security Operations Centers Should Look to Automation to Mitigate Potential Threats
SANTA CLARA, CA – Micro Focus (LSE: MCRO; NYSE: MFGP) today published its 2019 Application Security Risk Report, which reveals that publicly disclosed security issues have reached the highest level ever recorded in a single year, and that current security standards and legislation intended to mitigate such risks are proving ineffective. These findings suggest human error to be a leading factor and indicate that Security Operation Centers (SOCs) should continue to look to automation by employing tools that can identify potential vulnerabilities before they become confirmed threats.
Data shows that 94% of over 11,000 Web applications contained bugs in security features. Further, one in eight open source downloads contain a known vulnerability. These findings suggests that researchers are expanding the domain of weaknesses that lead to the majority of vulnerability discoveries and that attackers are increasing threating activity aimed at the open source software supply chain.
"The 2019 Application Security Risk Report suggests that the majority of breaches identified appear to come as a result of a combination of factors, including the targeting of the open-source software supply chain, human error, and poor security standards," said Alexander Hoole, Manager, Software Security Research at Micro Focus. "To overcome the deluge of security threats, organizations should invest in the development of proactive defensive strategies suited to their operational needs, such as maintaining a catalog of open source components, automation, and reviewing existing security standards."
The Micro Focus 2019 Application Security Risk Report provides a thorough analysis of weaknesses, vulnerabilities and data breach trends, the impact of regulations such as GDPR on risk mitigation, efforts by governing bodies to establish minimum standards for data processing, and an investigation of open source as a cause of risk. The report analyzed software vulnerabilities detected in over 11,000 applications, using techniques capable of analyzing more than 26 programming languages, with knowledge of more than 900 weaknesses types, spanning over one million APIs.
Key observations include:
In 2018, the proportion of high-severity vulnerabilities fell to 26 percent, the lowest level in four years and the second-lowest level in a decade. Conversely, the proportion of medium-severity vulnerabilities has increased to 59 percent of all vulnerabilities, from 48 percent in 2009, while low-severity vulnerabilities have increased to 15 percent in 2018, from 5 percent in 2009. This implies that researchers and attackers are expanding the weakness categories being investigated. Enterprises should do the same.
Supply chain integrity remains a major concern as open source component use continues to rise. Ensuring that a catalog of open source components, consumed by applications developed within a company, is maintained is a first step to being able to evaluate the presence of vulnerable component versions used within a company. Actively monitoring the catalog and keeping it up-to-date is essential.
Enterprises affected by the Payment Card Industry (PCI) Data Security Standard (DSS) commonly fail to comply with one or more DSS requirements. The data suggests that companies need to also be aware of the critical vulnerabilities which may fall outside of the requirements for a particular standard.
As organizations continue to build and advance SOC deployments alongside the evolving threat landscape, a solid foundation based on the right combination of people, processes and technology is essential. To help organizations achieve this balance IT security leaders should aim to improve their security infrastructure, encourage best cybersecurity practices, and look to automation where manual security tasks are at risk of being executed incorrectly.
To learn more please view the 2019 Pulse of AppSec: Trends and Insights webinar available for free.
More Information
The Micro Focus 2019 Application Security Risk Report is available today.
Join Micro Focus on LinkedIn and follow @MicroFocus Twitter.
About Micro Focus
Micro Focus helps organizations run and transform their business through four core areas of digital transformation: Enterprise DevOps, Hybrid IT Management, Predictive Analytics and Security, Risk & Governance. Driven by customer-centric innovation, our software provides the critical tools they need to build, operate, secure, and analyze the enterprise. By design, these tools bridge the gap between existing and emerging technologies—enabling faster innovation, with less risk, in the race to digital transformation.
Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.