RTK-Solar presented the results of a study of software security in Russian organizations. 32% of organizations do not check the applications they develop or use for security. 59% of organizations believe that they need to strengthen their monitoring and remediation processes (24% of companies are already taking the necessary measures, 35% are not planning such measures). At the same time practically one third company faces financial (31%) or reputational (31%) damage because of the incident connected with vulnerabilities, the company reported.
The survey results showed that 32% of organizations do not check the applications they develop or use for security. The same number of respondents (32%) said that, on the contrary, they regularly check the security of software. Occasionally, 22% of companies conduct analysis. 14% of respondents scan applications for security every six months.
Among those who conduct application security analysis, almost half (46%) eliminate all vulnerabilities, 31% – vulnerabilities of high and medium severity. Only 12% of respondents limit themselves to fixing highly critical vulnerabilities. Russian companies noted that the most common vulnerabilities in the code are inefficient monitoring (38%), the use of components with known vulnerabilities (30%), and insecure configuration (30%). The exploitation of these vulnerabilities by attackers can lead to compromise of vulnerable systems, violation of confidentiality and accessibility of processed data.
Almost one in three companies experience financial (31%) or reputational (31%) damage due to a vulnerability incident. Most often, financial damage is expressed in additional resource costs for eliminating vulnerabilities, which confirms the need to move from the traditional testing model to the shift left model. It consists in moving the testing stage to the early stages of the software development life cycle and allows you to simplify and speed up the correction of errors in the code.
Even those companies that develop applications to order do not always analyze the security of the software being developed: 23% of respondents noted that they do not check the security of applications, 32% – check it from time to time, 35% – check constantly during the development of a new version (analysis code is built into the development process), 10% scan applications every six months. The lack of application security leads to the expected results. Among custom software developers who do not check software security or check it occasionally, every fourth respondent (25%) noted that software vulnerabilities led to significant information security incidents. This highlights the need to analyze application security and address vulnerabilities and UXOs in code.
Daniil Chernov, director of the RTK-Solar Solar appScreener Center: “Every year the number of digital tools used is growing. It is important for companies that use them to provide them to employees as soon as possible in order to increase the efficiency of business processes. It is important for the companies that develop them to release a product or a new version as soon as possible in order to cover the current needs of customers. In this race, businesses are more likely to prioritize speed at the expense of safety. Starting in the spring of 2022, amid numerous reports of an increase in cyberattacks against Russian organizations, the situation has changed. We are seeing an increase in demand for application security analysis tools. To ensure that customers don’t have to compromise on the speed at which updates are delivered, we recommend integrating vulnerability analysis tools into the software development cycle.”
59% of organizations believe that they need to strengthen their monitoring and remediation processes (24% are already taking the necessary measures, 35% are not planning such measures). 41% of respondents believe that the current tools are enough to close the tasks of identifying and eliminating vulnerabilities.