Security company Veracode has published a new edition of The State of Software Security (SoSS) report. He analyzes the prevalence of security vulnerabilities in software, describes the security debt that companies accumulate over the years if they do not fix problems, and makes recommendations for reducing risks. The need is high – more than 70 percent of companies suffer from security problems in their software, many of which are classified as critical.
Advertisement
due to security issues According to the study, there are Not as clearly identifiable as many people think. 70.2 percent of applications tested have security-related flaws in third-party code, such as embedded libraries or open source code; however, 63.4 percent of company-owned applications are also affected by flaws made by their development teams.
Technical debt, including security issues
When dealing with these security-related problems, security debt arises, i.e. technical debt, which becomes a challenge over the life cycle of a software. The report identifies possible causes as the tendency of development teams to put functional requirements above security requirements, so that defects can no longer be fixed directly.
Older and larger applications tend to accumulate more security flaws as the complexity of their code base and the number of dependencies grow over time. This, along with inadequate training or knowledge of secure coding practices, as well as a lack of ongoing security testing throughout the development cycle, ultimately led to slower bug fixes.
The State of Software Security 2024 offers hope on this point. Even though the rate of new and existing defects will always exceed the ability to fix them, only three percent of problems in code can be classified as truly critical. Teams that prioritize addressing this top 3 percent are doing well overall.
It’s worth taking a look at the most common error types, which correspond to the Common Vulnerability Enumeration (CWE) and the Open Web Application Security Project (OWASP) top 10, according to the report.
Focusing on the most important critical gaps creates a higher level of security (pictured: distribution and severity of CWE and OWASP errors in software applications).
(Image: Veracode The State of Software Security 2024)
Risks to the software supply chain
External libraries are playing an increasingly important role when it comes to software security assessment. Even self-developed (“home-grown”) software can now have dozens to hundreds of external dependencies. Too often, developers follow the motto of “import it and ignore it”. Java, Ruby and Python applications in particular have accumulated additional dependencies in recent years and tend to look different when accumulating dependencies.
The number of libraries per application shown during operating time varies depending on the programming language.
(Image: Veracode The State of Software Security 2024)
The number of direct and transitive dependencies varies depending on the programming language, in most cases the “dependency of dependencies” doubles up the supply chain. Languages like Java and JavaScript can increase the number of dependencies by five to six times.
The report highlights another risk factor: as seen in recent years, more than half of applications use libraries that have fewer than ten contributors or that have not been updated in more than a year. However, Veracode highlights the main advantage of open source libraries: as the community grows, there are more security controls that fix errors more quickly due to the often accessible code.
Security issues are endemic – teams must consider this now
Because security problems in applications are so widespread, Veracode concluded that they are endemic and an integral part of software development. Only two out of ten applications have an average monthly bug fix rate of more than ten percent of all security defects. Only a few teams succeed in stopping the growing security debt.
The report suggests two key approaches to keeping business risks under control.
- Since only three percent of all problems pose a serious risk, prioritization is crucial. Much is gained when teams focus on solving these security issues.
- Artificial intelligence (AI) can help enhance problem solving capabilities. Especially when large language models (LLMs) are trained on specific CWEs to support developers in problem solving. In the future, this approach may also mean that teams have to solve fewer relevant problems themselves and gain more time for value creation.
(Who)
