Even with a stronger focus on security this year, most software is still riddled with security vulnerabilities. According to Veracode’s State of Software Security (SOSS) report, 87.5 percent of Java applications, 92 percent of C++ applications, and 85.7 percent of .NET application contain at least one vulnerability. In addition, over 13 percent of applications contain at least one critical vulnerability.
“Our annual SOSS data puts hard evidence on the table to explain why so many security professionals experience anxiety when they think about application security (AppSec),” the report stated. “There is no way to sugar coat it: the sheer volume of flaws and percentage of vulnerable apps remain staggeringly high.”
Among the vulnerabilities, SQL injection flaws and cross-site scripting (XSS) remained most common, which is consistent with previous years. SQL injection flaws were found in about one in three applications, while XSS vulnerabilities were present in about half of the applications.
The report also claimed that close rates of vulnerabilities improved by 12 percent this year. Customers closed about 70 percent of the vulnerabilities that they found this year. While this is still an improvement from previous years, it’s important to consider that it only takes attackers a few hours or days to create exploits for new vulnerabilities. “It is crucial to measure both how many flaws organizations close out every year, and how long it takes them to do so,” Veracode explained in the report.
Over 70 percent of flaws were still in place one month after discovery and 55 percent remain three months after being discovered. In addition, 25 percent of high and very high severity vulnerabilities are not addressed within 290 days of being discovered.
Organizations with active DevSecOps initiatives in place fixed vulnerabilities over 11.5 times faster than typical organizations. “As the DevOps movement has unfolded, security-minded organizations have recognized that embedding security design and testing directly into the continuous software delivery cycle of DevOps is a must for enterprises,” Veracode wrote. “This is the genesis of DevSecOps principles, which offer a balance of speed, flexibility, and risk management for organizations that adopt them.”
The report also found that there is a strong correlation between how often an organization scans for vulnerabilities and how quickly they address those vulnerabilities. There is a comparable jump in fix rate with every increase in scan frequency until organizations hit 300 scans per year, at which point the percentage of flaws closed skyrockets to almost 100 percent.
Veracode hypothesizes that greater scan frequency indicates a higher likelihood that organizations are practicing DevSecOps.
The results of the report come from scans of over 2 trillion lines of code between April 1, 2017 and April 30, 2018.