In terms of particular kinds of flaws — defined by Veracode as ‘an implementation defect that can lead to a vulnerability’ — 69.7 per cent of applications contained at least one in the OWASP Top 10, with 56.9 per cent having flaws listed in the CWE Top 25.
Meanwhile, 19.2 per cent of applications had software security flaws defined by researchers as ‘high severity’.
Regarding coding language used, .NET applications were found to be particularly vulnerable with 82.2 per cent having at least one found flaw, compared to Java (77.7 per cent) and JavaScript (55.8 per cent).
With businesses globally utilising increasingly complex third-party software to deliver services, exploitation of a serious vulnerability by threat actors can impact thousands of victims simultaneously, meaning patching needs to be consistently put in place.
As generative AI continues to gain traction in the software development space, the risk of vulnerabilities from external sources increases.
The future of private AI: open source vs closed source — As regulation of artificial intelligence evolves, the future of AI could be private in nature – here’s how adoption of open and close source capabilities would compare.
“This year’s State of Software Security report shines a light on the importance of security across the entire software lifecycle, as well as the urgent need to address risks posed by third-party and AI-generated code,” said Chris Eng, chief research officer at Veracode.
“Our data shows that organisations globally are continuing to deploy a worrying number of applications with a high number of flaws in the CWE Top 25.
“We did, however, identify interesting regional differences, particularly in terms of third-party or open source code usage and the ways in which vulnerabilities are introduced across the application lifecycle.”
How to keep applications secure
In line with its research, Veracode listed the following steps that businesses can take in order to keep software vulnerabilities at bay:
- Examine application lifecycles: Findings show an increase in application flaws at the beginning of the second year, so application delivery and security teams should work together to implement style guidelines, documentation, and code review, as well as audit regularly.
- Carry out regular scans: Often, software security flaws are found in bunches, which can occur due to irregularly cadence of scanning. Security staff should scan regularly to make the process of finding and fixing flaws more predictable.
- Scan using APIs: Automating the scanning process can go a long way in reducing the chances of, and in turn the amount of flaws being introduced. According to researchers, programs that leverage automation eliminate ad hoc changes including code review and testing, that have not been vetted.
- Write simple code yourself: When it comes to open source applications, most of which are written in Java, security teams should explore how they should go about including relatively simple libraries that bring dependency chains of questionable value, and write code in-house where possible.
Over 750,000 applications using all scan types were surveyed across Veracode’s customer base for the 2023 State of Software Security report, with raw static findings generated by all scans totalling 86 million.
Related:
61,000 open source projects, vulnerable to 15-year-old flaw, now patched — Here’s how a cybersecurity firm have gone about amending a 15-year-old flaw found in Python-based projects.
