A new report from application security testing company Veracode reveals concerning levels of unresolved software vulnerabilities, or “security debt,” across most organizations.
The 14th annual State of Software Security (SOSS) report analyzed data from more than 1 million application scans to assess the current landscape of security debt in software. The report defines security debt as any flaw left unresolved for more than one year, allowing vulnerabilities to accumulate much like financial debt.
Key findings include:
- 71% of organizations have security debt, with 46% having critical high-severity flaws persisting more than one year.
- It takes nine months on average to fix half of all flaws, 50% longer for third-party flaws.
- 42% of applications have flaws persisting over one year that qualify as security debt.
Developers Do Not Prioritize Critical Flaws
Among the most surprising findings in the report is the revelation that for the most part, developers are not prioritizing critical flaws when they fix bugs.
“You would assume that they would work on the most important stuff first, the highest severity, most critical items first, to reduce risk by the most,” Chris Eng, chief research officer at Veracode, said during a live webinar discussing the report. “But when you actually look at what’s happening, that’s not the case. The most severe stuff is not being worked on the fastest or first.”
Based on Veracode’s research, there’s almost no distinction between the rate at which developers are prioritizing and fixing critical issues over non-critical flaws, according to Eng. The research does not provide a data-backed answer as to why that’s the case, but Eng has a few ideas as to why it’s occurring.
“My guess is that there’s just so much to do,” he said. “Maybe they’re working on what they think is the easiest for them to fix.”
Eng added that developers might well be focused on just getting things done in the fastest way possible so are fixing bugs with the fewest lines of code. With that approach, a developer might be able to fix more bugs in a day than if they instead focused on the critical issues, which might be more complex and time-consuming to solve.
Prevalence of Security Debt Spans All Types of Applications
The volume of security issues that developers need to address is a major concern that is highlighted in the report.
According to Veracode, in a typical organization, 1 in 3 applications contain security debt. Not surprisingly, large legacy applications tend to accumulate the most security debt.
The report indicates that security debt arises from unresolved flaws in both code developed in-house (63% of applications affected) and third-party libraries (70% affected). However, flaws in third-party code take 50% longer to address.
Keys to Reducing Security Debt
The report offers several recommendations to begin resolving security debt, including:
- Prioritize remediation of critical, high-severity flaws over 1 year old, as these represent 3% of all flaws but are the greatest risk
- Integrate scanning and testing across the entire software development life cycle
- Move toward continuous remediation to fix flaws faster
- Improve developer security competency through hands-on education
- Develop strategies to secure the open-source software supply chain
About the author
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He consults to industry and media organizations on technology issues.