Flaw prevalence: Leading organizations have flaws in fewer than 43% of applications, while lagging organizations exceed 86%.Fix capacity: Leaders resolve over 10% of flaws monthly, whereas laggards address less than 1%.Fix speed: Top performers remediate half of flaws in five weeks; lower-performing organizations take longer than a year.Security debt prevalence: Less than 17% of applications in leading organizations carry security debt, compared with more than 67% in lagging ones.Open-source debt: Leading organizations keep open-source critical debt under 15%, whereas 100% of critical debt is open source in lagging organizations.Steps to improve security maturity include enhancing visibility and integration across the software development life cycle, using automation and feedback loops to prevent new security flaws. Veracode further argues that organizations should prioritize correlating and contextualizing security findings in a single view.”Most organizations suffer from fragmented visibility over the software flaws and risks within their applications, with sprawling toolsets that create ‘alert fatigue’ at the same time as silos of data to interpret and make decisions about,” Wysopal said. “The key factors that help them address the security backlog are the ability to prioritize remediation of flaws based on risk.”Veracode’s study is based on findings about 1.3 million unique applications that were subjected to a combination of static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform. Software packages put through their paces came from companies of all sizes, commercial software suppliers, software outsourcers, and open-source projects.
Supply chain risks: On open-source security debt specifically, application security firm Black Duck reports that an analysis of 965 commercial codebases across 16 industries found that 86% of commercial codebases contained open-source software vulnerabilities and 81% contained high- or critical-risk vulnerabilities.Eight of the top ten high-risk vulnerabilities covered in Black Duck’s Open Source Security and Risk Analysis report were found in jQuery, a widely used JavaScript library.The most frequently found high-risk vulnerability was CVE-2020-11023, an XSS vulnerability affecting outdated versions of jQuery, but still present in a third of scanned codebases.The supply chain risk from vulnerabilities that originate from third-party and open-source code can be mitigated by continuously scanning code throughout the software development life cycle, Veracode advises. Enterprises should modernize their operations to ensure updating, testing, and deploying a new version of a custom application is as efficient as possible.”Software composition analysis (SCA) achieves this by detecting and managing the risks of third-party and open-source software components through an automated process,” Wysopal said. “It generates software bills of materials (SBOM), scans for vulnerabilities, assesses risk, and provides remediation guidance.”
Debt reduction program: By addressing security debt and leveraging best practices, businesses can enhance resilience, reduce risk, and comply with evolving cybersecurity regulations, according to Veracode. The application security specialist offers a run-down of factors that help develop an effective strategy for reducing security debt:
Automated testing: Integrate SAST, DAST, SCA, and other automated testing frameworks into CI/CD to catch flaws early.Risk-based policies: Focus on easily exploitable, high-severity flaws, and enforce strict “no-ship” standards.Empowered developers: Provide training, designate security champions, and treat security tasks like normal dev work.An accountability culture: Track vulnerabilities alongside functional bugs and fix them as they appear.Open-source oversight: Maintain a clear inventory of libraries, update them regularly, and automate checks.Discipline: While resources help, coherent strategy and strong processes matter more. Even smaller teams, if well-aligned and disciplined, often outperform larger ones with weaker focus.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3842489/companies-are-drowning-in-high-risk-software-security-debt-and-the-breach-outlook-is-getting-worse.html
