Half of application security flaws are still unfixed six months after they’re discovered, Veracode said in its recently released 11th volume of its State of Software Security report.
Still, most applications do not have critical issues that pose serious risks to the software even though three-quarters contain at least one security flaw, the Burlington, Massachusetts-based application security tester (AppSec) said, based on its review of application security testing data from scans of more than 130,000 active applications. Roughly one-quarter have what Veracode called "high-severity" flaws.
Of particular note is Veracode’s finding that security teams have “very little control” over the size of the application and organization along with security debt--which it calls the application’s “nature”--and others that can be controlled, such as scanning frequency, cadence and scanning via APIs, which it termed “nurture.”
Addressing security issues with modern DevSecOps practices results in higher flaw remediation rates, said Chris Eng, Veracode’s chief research officer.“The goal of software security isn’t to write applications perfectly the first time, but to find and fix the flaws in a comprehensive and timely manner,” he said. “Even when faced with the most challenging environments, developers can take specific actions to improve the overall security of the application with the right training and tools.”
Chief among actions that can improve app security include using multiple scan types, working within smaller or more modern apps, and embedding security testing into the pipeline via an API all make a difference in reducing time to fix security defects, Veracode said.
Here are the report’s key findings:
- 76% of applications have at least one security flaw, but only 24% have high-severity flaws.
- Frequent scanning can reduce the time it takes to close half of observed findings by more than three weeks.
- 70% of applications inherit at least one security flaw from their open source libraries.
- 30% of applications have more flaws in their open source libraries than in the code written in-house.
- Using a combination of scan types including static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA) improves fix rates.
- Using SAST and DAST together fixes 50% of flaws 24 days faster.
- Automating security testing in the software development life cycle addresses half of the flaws 17.5 days faster than those that scan in a less automated way.
- Older applications with high flaw density experience much slower remediation times, adding an average of 63 days to close half of flaws.