Half of Organizations Carry Critical Software Security Debt, Warns Veracode
A new report from Veracode reveals a concerning trend in software security. Half of all organizations carry critical security debt, with a significant portion stemming from third-party code. Despite this, the prevalence of high severity flaws has halved since 2016.
The report highlights that more than half of applications contain high severity vulnerabilities, with 80.3% having any flaws at all. Around two-thirds of apps have flaws in first-party code, while a staggering 70% have flaws in third-party code. This is alarming, given that over two-thirds of critical security debt originates from third-party code and the software supply chain.
The situation is further exacerbated by the increasing reliance on third-party code and AI-generated code, which has led to a 327% increase in average fix time compared to 15 years ago. Currently, the average fix time stands at eight and a half months, a 47% increase over the past five years. This prolonged fix time is concerning, as it leaves systems vulnerable for extended periods.
However, there is some positive news. The proportion of apps without any flaws within the OWASP Top 10 vulnerabilities list has risen by 63% in the past five years. Additionally, there has been a steady decline in apps containing flaws in the SANS Institute Top 25 Software errors list. Despite these improvements, there is no current, public ranking or listing of organizations that excel or struggle in resolving software security vulnerabilities.
The Veracode report underscores the pressing need for organizations to address their software security debt, particularly that arising from third-party code. With fix times on the rise and vulnerabilities persisting, organizations must prioritize swift and effective remediation. While progress has been made in reducing certain types of flaws, there is still much work to be done to ensure the security and stability of our digital landscape.
Read also:
- Jaguar Land Rover Resumes Production After Month-Long Cyber Attack
- Belarus Launches First Accredited Cybersecurity Center
- Software Ré́publique Unveils Ambitious Projects: Cybersecurity for Renault, Vehicle Flow Modeling, and Intelligent Charging
- Renault, Dacia Warn of Cyber Attack on Third-Party Data Provider
