An analysis of more than 101 million application security alerts conducted by OX Security, a provider of an application security posture management (ASPM) platform, finds only 2% to 5% require immediate action, with more than 95% considered informational.
On average, an organization faces 569,354 security alerts across an average of 469 active applications, which the report surmises can be reduced to 11,836 through context-based prioritization. That suggests that only 202 of these issues are critical, according to the report.
Specifically, 32% of the issues discovered have low exploit risk, while there is no public exploit for a quarter of the vulnerabilities that developers are being warned about.
More challenging, 25% of all findings relate to indirect or development dependencies that individual application developers are often unable to directly remediate.
Of the critical issues that surface, 1.71% are Known & Exploited Vulnerabilities (KEV), representing actively exploited vulnerabilities that can be exploited in a specific customer environment and demand immediate attention. Another 1.62% represents an exposure of secrets.
OX Security Field CTO Boaz Barzel said the report makes it clear application developers are being overwhelmed by security alerts, which only further exacerbates the level of friction between cybersecurity teams and application developers. The situation is likely to worsen as application developers rely more on artificial intelligence (AI) tools to generate code, many of which were trained using code collected from across the internet that has known vulnerabilities, which, while concerning, may not be especially critical, he noted.
Most application developers now routinely ignore the alerts being generated or simply turn off security tools that generate too much noise as they are attempting to write code, he added.
While a lot of progress has been made in terms of adopting best DevSecOps practices, the effort to shift as much responsibility for application security onto the shoulders of developers is not feasible, says Barzel. Instead, organizations need a more comprehensive approach that, in addition to deprioritizing many alerts simultaneously, enables a DevSecOps team to address critical issues more adroitly. Those DevSecOps teams need to focus more on qualitative results rather than quantitative reports, noted Barzel.
Ultimately, cybersecurity teams need to have a deeper understanding of how applications are constructed. Many of the vulnerability alerts generated concern code that either isn’t accessible via the internet or code that wasn’t actually ever loaded into memory. Otherwise, all the time and effort spent creating long lists of vulnerabilities for application developers to investigate is being wasted, when organizations are under more pressure than ever to build and deploy more software than ever. Most developers, as a result, are only allocating a few hours a month to remediating vulnerabilities at the expense of writing additional code.
At the same time, cybercriminals are becoming more adept at discovering vulnerabilities, so even while there may only be a small number of exploitable threats, the amount of damage that could still be inflicted remains considerable. The challenge, as always, is ensuring the limited resources organizations have at their disposal are applied to issues that matter most.
