Apps gain more security flaws as they get older
Just as machinery becomes less reliable as it gets older and people develop more health issues with age, so it seems software is more likely to have security flaws later in its life.
A new report from security testing company Veracode shows that while 32 percent of applications are found to have flaws at the first scan, by the time they have been in production for five years, nearly 70 percent contain at least one security flaw.
The report suggests teams should prioritize remediation early in the software development lifecycle in order to minimize risks caused by flaw accumulation.
Chris Eng, chief research officer at Veracode, says, "As with all our studies, we set out to provide insights that developers can put into action right away. From this year's findings, two important considerations emerged: how to lower the chance of flaws being introduced in the first place, and how to reduce the number of those flaws that are introduced. Aside from technical access controls, secure coding practices are all the more crucial for cybersecurity in 2023 and beyond."
After the initial scan, apps quickly enter a 'honeymoon period' of stability, and nearly 80 percent don't have any new flaws at all for the first 1.5 years. After this point, however, the number of new flaws introduced begins to climb again to approximately 35 percent at the five-year mark. By the time a piece of software reaches the 10 year point there’s a 90 percent chance of it having at least one flaw.
Veracode's research team also examined 30,000 open-source repositories publicly hosted on GitHub. Interestingly, 10 percent of repositories hadn't had a commit -- a change to the source code -- for almost six years.
"Using a software composition analysis (SCA) solution that leverages multiple sources for flaws, beyond the National Vulnerability Database, will give advance warning to teams once a vulnerability is disclosed and enable them to implement safeguards more quickly, hopefully before exploitation begins," adds Eng. "Setting organizational policies around vulnerability detection and management is also recommended, as well as considering ways to reduce third-party dependencies."
The report recommends that security teams and developers should tackle technical or security debt as early and quickly as possible. They should also prioritize automation and developer security training to provide an understanding of which vulnerabilities are most likely to be introduced, as well as techniques to avoid introducing flaws altogether.
You can get the full report from the Veracode site.