42 percent of applications suffer from 'security debt'

A new report from Veracode shows that software security debt -- flaws that have gone unfixed for over a year -- is found in 42 percent of applications.

Although the number of high-severity flaws has reduced 70.8 percent of organizations still suffer from security debt. 45.9 percent have critical security debt, that is high-severity flaws that have been unfixed for 12 months or more.

When looking at where these flaws occur the report finds that only 10.6 percent of security debt is accounted for by third-party code. However, third-party code makes for 65.4 percent of critical debt. Third-party flaws take 50 percent longer to fix too, with a half-life of 11 months compared to seven months for flaws in first-party code.

About 70 percent of applications have flaws included in the OWASP Top 10, an initiative to track the most critical risk to web applications. For the Common Weakness Enumeration (CWE) Top 25 -- another effort to track the most common and impactful security weakness -- that statistic drops slightly to 41 percent of all applications.

Chris Eng, chief research officer at Veracode, says, "While we continue to see improvements in the security landscape, these findings are a wake-up call for organizations to address their security debt head-on. By prioritizing flaw remediation, focusing on third-party code security, and adopting efficient development practices, organizations can significantly reduce their security debt and enhance the overall state of software security across the board."

The research also finds remediation capacity among teams to be constrained, with only 64 percent of applications having a remediation capacity that's sufficient to eliminate critical security debt. In fact, only two out of ten applications show an average monthly fix rate that exceeds ten percent of all security flaws. This suggests, even in cases where teams' fix capacity is sufficient, they are not prioritizing critical flaws. It's not all bad news though, only three percent of all flaws constitute critical security debt, and this represents the largest risk exposure for applications. By prioritizing that three percent, organizations can achieve maximum risk reduction with focused effort.

"AI also paves the way for a new frontier in software security by empowering organizations to scale remediation efforts and more easily address the long backlog of security debt, as well as new flaws that emerge," adds Eng. "The vast majority of CWEs (Common Weakness Enumeration) with a severity rating from medium to very high can be addressed through AI-generated code edits from Veracode Fix."

You can read more and get the full report on the Veracode blog.

Image credit: Funtap/depositphotos.com