The majority of applications still contain at least one security flaw, but the time to fix has massively declined.
According to Veracode‘s latest State of Software Security report, fixing those flaws can typically take months, with this year’s analysis of 130,000 applications finding it takes about six months for teams to close half the security flaws they find. It said its scan of those 130,000 applications found 76% had at least one security flaw, but only 24% have high-severity flaws.
Speaking to Infosecurity, Veracode EMEA CTO Paul Farrington said the minority of that 24% were the “most severe flaws.” He added: “What has changed is, compared to 2018, where 52% of flaws were fixed, and 56% were fixed in 2019, in 2020 the fix rate is up to 73%. In security we often talk doom and gloom but this is great, and shows developer teams are stepping up and improving.”
Farrington also claimed that the most prominent flaws, as featured in the OWASP Top 10, “remain persistent and seem prevalent.” Asked why those flaws are still prevalent, Farrington said newer frameworks “make it less easy to do bad stuff” but not every company and developer team has “the choice of bleeding edge framework and tens and thousands of apps still need to be maintained.”
The report also found that while 70% of applications inherit at least one security flaw from their open source libraries, 30% of applications have more flaws in their open source libraries than in the code written in-house.
Farrington said: “There is a reliance on apps using open source code, and this is a good thing as organizations are not paying to reinvent the wheel, but the challenge is that if you use open source software, you’re basically importing a security risk into the organization.”
Veracode also promoted the concept of automating code scanning, finding that those companies doing a combination of dynamic and static analysis simultaneously can fix half of the flaws 24 days faster. Farrington said if you are able to implement frequent weekly scanning processes into your software, you can remove 22 days from the time to fix, than when doing a scan on an ad hoc basis.
Asked if he felt the lockdown had impacted application security fix times, Farrington said, if you consider “what has been thrown at them [dev teams] this year, they can be forgiven for taking their eye off the ball” so they have found companies are scanning and automating more, “and not relying on the old customs that worked in the past.”
Chris Eng, chief research officer at Veracode, said: “The goal of software security isn’t to write applications perfectly the first time, but to find and fix the flaws in a comprehensive and timely manner. Even when faced with the most challenging environments, developers can take specific actions to improve the overall security of the application with the right training and tools.”