Monday, 2nd August 2021
Logo

Half of application security flaws remain open six months after discovery

SOSS Volume 11 finds 76% of applications have at least one security flaw.

Veracode has introduced the State of Software Security (SOSS) Volume 11 revealing the majority of applications contain at least one security flaw and fixing those flaws typically takes months. This year’s analysis of 130,000 applications found that it takes about six months for teams to close half the security flaws they find.


The report also uncovered some best practices to significantly improve these fix rates. Veracode found there are some factors that teams have very little control over, and those that they have a lot of control over, categorizing them as “nature vs. nurture”. Within the “nature” side Veracode considered factors such as the size of the application and organisation as well as security debt, while the “nurture” side accounts for actions such as scanning frequency, cadence, and scanning via APIs.

Fixing Security Flaws: Nature or Nurture?

SOSS 11 revealed that addressing issues with modern DevSecOps practises results in higher flaw remediation rates. For example, using multiple application security scan types, working within smaller or more modern apps, and embedding security testing into the pipeline via an API all make a difference in reducing time to fix security defects, even in apps with a less than ideal “nature.” 

“The goal of software security isn’t to write applications perfectly the first time, but to find and fix the flaws in a comprehensive and timely manner,” said Chris Eng, Chief Research Officer at Veracode. “Even when faced with the most challenging environments, developers can take specific actions to improve the overall security of the application with the right training and tools.”

Other key findings of SOSS 11 include:

  • Flawed applications are the norm: 76% of applications have at least one security flaw, but only 24% have high-severity flaws. This is a good sign that most applications do not have critical issues that pose serious risks to the application. Frequent scanning can reduce the time it takes to close half of observed findings by more than three weeks.
  • Open source flaws on the rise: while 70% of applications inherit at least one security flaw from their open source libraries, SOSS 11 also found that 30% of applications have more flaws in their open source libraries than in the code written in-house. The key lesson is that software security comes from getting the whole picture, which includes identifying and tracking the third-party code used in applications.
  • Multiple scan types prove efficacy of DevSecOps: teams using a combination of scan types including static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA) improve fix rates. Those using SAST and DAST together fix half of flaws 24 days faster.
  • Automation matters: those who automate security testing in the SDLC address half of the flaws 17.5 days faster than those that scan in a less automated fashion.
  • Paying down security debt is critical: the link between frequently scanning applications and faster remediation times has been established in Veracode’s prior State of Software Security research. This year’s report also found that reducing security debt – fixing the backlog of known flaws – lowers overall risk. SOSS 11 found that older applications with high flaw density experience much slower remediation times, adding an average of 63 days to close half of flaws.

In one of the first post-Brexit European University partnerships, the University of Gloucestershire...
Aqua's cloud native application protection platform (CNAPP), delivered as SaaS or self-hosted, suppo...
Ransomware showed massive year-to-date spikes in the U.S. (185%), U.K. (144%).
Zerto has introduced Zerto 9, significantly advancing its capabilities in the fight against ransomwa...
OVHcloud, the European leader in cloud computing, has acquired BuyDRM, an American company specializ...
A new survey of enterprise IT security leaders showed an overwhelming majority--almost 80 percent--b...
Netwrix study dedicated to Sysadmin Day also finds that two thirds (66%) of system administrators ha...
New research from ThycoticCentrify reveals workers’ attitudes to cybersecurity and risks they take t...