Nearly 32 percent of newly deployed enterprise applications contain security flaws in their initial vulnerability scans, according to software security firm Veracode’s latest annual report. Current State of Software Security Reportswas published on January 11, 2022.
The report also shows what Veracode researchers call the “honeymoon period,” which lasts up to a year and a half after the application is deployed. This number rises again after a longer period of time.
By five years in production, nearly 70% of applications contain at least one security flaw.
“What this shows us is that as the application lifecycle progresses, there are things that make the application worse, such as changing team composition, developers, and codebase complexity,” says Chris. says Mr. Eng, chief research officer at Veracode, said: Information security.
No correlation between defect introduction and code length
However, Veracode researchers found that there is no direct correlation between application growth (when code gets longer) and defect introduction rate.
Based on these findings, Veracode concluded: .
“For example, spacing out scans by several months correlates with a higher likelihood of finding defects when the scans are finally run,” the spokesperson said in a statement.
Additionally, the app’s main flaws depend on the type of test. For example, server configuration flaws accounted for 96.5% of vulnerabilities identified by Veracode’s dynamic analysis, but only 11.1% by static analysis.
The results “underscore the importance of using multiple scan types to avoid missing hard-to-identify defects,” said a Veracode spokesperson.
Software composition analysis is essential
Over the past year, there has been an increased focus on software bills of materials (SBOMs), a requirement that was part of President Biden’s 2021 executive order. Improve national cybersecurityVeracode’s research team also examined 30,000 open source repositories published on GitHub.
10% of those surveyed had not made a commit (source code change) in almost six years.
“By using a software composition analysis (SCA) solution that leverages multiple vulnerability sources beyond the National Vulnerability Database, we can proactively alert teams when vulnerabilities are revealed and hopefully exploit them. Before you begin, you’ll be able to implement safeguards more quickly.In addition to considering ways to reduce your reliance on third parties, it’s also a good idea to set your organization’s policy on vulnerability detection and management. increase.”
Veracode’s report is based on 750,000 enterprise applications across all sectors scanned using three methods: static analysis, dynamic analysis and software composition analysis (SCA).
