Organizations build 'security debt' by focusing on new flaws
A focus on fixing new issues while neglecting ageing flaws leads to increasing security debt according to a new report.
The study -- the 10th such report from security testing specialist Veracode -- analyzed more than 85,000 applications across more than 2,300 companies worldwide and finds that fixing vulnerabilities has become just as much a part of the development process as improving functionality.
"Over the past 10 years, we've seen a vast improvement in the overall state of application security. We've gone from having to discuss why AppSec is important to having conversations about the best way to approach the problem. This change is reflected in the data that shows companies are fixing a higher percentage of flaws than ever before," says Chris Wysopal, co-founder and chief technology officer at Veracode. "However, the report also shows us there is plenty of room for improvement, specifically when it comes to the issue of mounting security debt. Like credit card debt, even carrying a small balance forward on a recurring basis can quickly leave you in the hole."
Among the report's other findings are that overall 83 percent of applications have at least one flaw in the initial scan, with information leakage (64 percent), cryptographic issues (62 percent), and CRLF injection (61 percent) the most common problems.
Despite the continued prevalence of flaws though development teams are making strides in keeping up with these vulnerabilities -- 70 percent are either reducing the number of flaws after a first scan or not introducing any other flaws by the time of the final scan. The pass rate for OWASP Top 10 compliance on the initial scan this year also reversed a three-year decline by rising to 32 percent, demonstrating that secure development education is helping to reduce the introduction of flaws.
But the report also reveals that the longer flaws stick around, the chances of them being corrected diminish, which adds to an organization's security debt. About half of applications are accruing debt over time, a quarter are driving it down, and another quarter are breaking even.
There are also regional differences with companies in EMEA having the fewest high severity flaws (32 percent), followed by the Americas (37 percent) and Asia-Pacific (40 percent).
You can find out more in the full report which is available from the Veracode site.