Protect against Log4J without patching
Learn More
Protect against Log4J without patching
Learn More

UncategorizedFixing Web Application Vulnerabilities in Development | Application Security


September 14, 2020 Timothy Chiu, VP of Marketing
The Importance of Fixing and Finding Vulnerabilities in Development
Applications continue to make it to production from development with significant vulnerabilities, and this is validated with a record number of vulnerabilities recorded in the U.S. CERT Vulnerability database last year. While ensuring security and preventing possible breaches is the primary and main reason for wanting to find as many vulnerabilities in application code during development, rather than in production, there are actually other important reasons why an organization would want to find and remediate as many vulnerabilities as possible during the development cycle.

The first additional reason and maybe one of the most compelling is the increased cost to remediate vulnerabilities that have made it to production.  According to the NIST (the National Institute of Standards and Technologies), the cost of fixing a security defect once it’s made it to production can be up to 60 times more expensive than during the development cycle.  That’s a pretty heavy increase in cost, and one that should concern most organizations.

The second additional reason to fix a defect during development is the length of time required to fix a defect once it is discovered.  Veracode’s 2019 “State of Software Security” report, indicated that the average amount of time to fix a software defect has gone from 59 days ten years ago, to an astounding 171 days in 2019.  That’s almost half a year that a vulnerability would be in production before it gets fixed if it were discovered in production, rather than during the development cycle, where it would be remediated before going to production.

These reasons for fixing vulnerabilities during development leads to the obvious question.  How do you find additional vulnerabilities during testing in the development cycle?  K2 recently wrote about how organizations can find additional hidden vulnerabilities during their DAST testing.  Full details are in the article, but a summary of how K2 can assist is below.

K2 can help find vulnerabilities in pre-production testing and address the issues around the lack of remediation guidance and the inadequate quality of security penetration testing results.  K2 Cyber Security Platform is a great addition for adding visibility into the threats discovered by penetration and security testing tools in pre-production and can also find additional vulnerabilities during testing that testing tools may have missed.  K2 can pinpoint the exact location of the discovered vulnerability in the code.  When a vulnerability is discovered (for example, SQL Injection, XSS or Remote Code Injection), K2 can disclose the exact file name along with the line of code that contains the vulnerability, details that testing tools typically are unable to provide, enabling developers to start the remediation process quickly.

K2 Cyber Security can also provide deterministic runtime application security that detects zero day attacks, along with well-known attacks.  K2 issues alerts based on severity and includes actionable alerts that provide complete visibility to the attacks and the vulnerabilities that the attacks are targeting including the location of the vulnerability within the application, providing details like file name and line of code where the vulnerability exists.

Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, K2 uses a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge.  Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended.  There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has minimal false alerts.

Get more out of your application security testing and change how you protect your applications, and check out K2’s application workload security solution.

Find out more about K2 today by requesting a demo, or get your free trial.



Share this

Leave a Reply

Your email address will not be published. Required fields are marked *


K2 Cyber Security delivers the Next Generation Application Security Platform to secure web applications and container workloads against sophisticated attacks in OWASP Top 10 and provides exploitable vulnerability detection during pre-production. K2’s Platform is deployed on production servers for runtime protection of applications and on pen-testing/pre-production/QA servers for interactive application security testing to identify the location of the vulnerable code. K2’s solution generates almost no false positives, eliminates breaches due to zero-day attacks, detects attacks missed by traditional security tools like Web Application Firewalls and host based EDR, finds missed exploitable vulnerabilities and dramatically reduces security cost. K2 Cyber Security is headquartered in the USA and provides cyber security solutions globally.


K2 Cyber Security, Inc.

2580 N. First Street, #130

San Jose, CA 95131