Software security debt piles up for organizations even as critical flaws drop

While the prevalence of high-severity security flaws in applications has dropped significantly in the last few years, a large number of organizations still have critical security debt, according to a research by Veracode.

The research is based on data collected from Veracode’s recent static application security testing (SAST), dynamic application security testing (DAST), and software component analysis (SCA) scans for over one million applications.

“The proliferation of AI-generated code brings with it insecure code at scale and the likelihood of it becoming security debt,” said Chris Eng, chief research officer at Veracode. “Given the extent of security debt that we found, it is worth considering whether AI-assisted remediation tools may be helpful to pay down that debt, without the need to redirect your development teams or to increase their size.”

The research also found a considerable number of flaws in first-party as well as third-party codes, underlining the importance of testing them both throughout the software development life cycle (SDLC).

Critical flaws down, not out

The research found prevalence of high-severity flaws has dropped in 2023 (in 17.9% of applications) to half of what it was in 2016 (in 37.9% of applications). While only 3.2% of all flaws were found to be highly severe (CVSS 9 and above), almost 16% of such flaws were “very likely” to be exploited.

This meant that a little less than 1% (0.7%) of all the flaws detected in 2023 were both critical and highly exploitable.

Overall, 80% of all active applications were detected to have unresolved flaws using Veracode’s SAST, DAST, and SCA scans, while this was 73% for SAST-only scans which consider issues specifically in the development phase of the applications.

Flaws detected in third-party, open-source components were on par with those detected in first-party codes. In fact, 63.4% of applications had flaws in first-party codes, while 70.2% of applications had flaws in the third-party code. This, the research noted, has to do with the wider AI adoption and necessitates deep scanning of both sources in the software supply chain.

Additionally, it was found that, on average, a typical application has 42 flaws for every 1 MB of code. Cross-site scripting, injection, path traversal, and vulnerable and outdated components were found to be the top flaws in applications with high intensity (average findings per application) and volume (percent of applications).

Security dept piles on

Software security debt, defined in the research as any flaw that persisted unremediated for over a year, was found in 42% of all applications. This number drops to 23% if applications less than one-year-old are added to the mix, meaning 57% of applications are with flaws but no debt.

The picture is a little different when critical security debt (unremediated critical flaws) is taken into account. “A large majority of organizations (71%) have security debt at some level,” according to the research. “And close to half of all firms (46%) have high-severity persistent flaws that we’ll classify as critical security debt.”

A quarter of organizations with security debt have security debt in less than 17% of applications, with a quarter of them having debt in more than 67% of applications, the research noted. On average, almost half of all the flaws (47%) an organization has can be attributed to security debt.

To deal with software security debt, the research makes a few recommendations, including integrating security into SDLC, continuous remediation, prioritizing remediation for critical security debts, building developer security competency, and knowing your language’s debt profile.

Security Software

Go to Source