State of Software Security Shows Little Change From 2016

When building and deploying applications, developers continue to make same security errors year after year, according to a new study from Veracode. The 44-page Veracode 2017 State of Software Security (SOSS) report was released on Oct. 18, providing insight from 400,000 software assessments conducted by Veracode between April 1, 2016, and March 31, 2017. Among the high-level findings in the report is that the same classes of vulnerabilities continue to be found in similar percentages in the last several years. Of note, Veracode found that 88 percent of Java applications that were scanned had at least one vulnerable component. In this slide show, eWEEK looks at some of the highlights from Veracode’s latest State of Software Security report.

Nearly 88 percent of scanned Java applications had at least one vulnerability in a component, according to findings in Veracode’s SOSS report. The likely reason why so many Java components were vulnerable is due to the fact that developers don’t patch components in production as new versions of Java components are released, the report said.

Each year, the Open Web Application Security Project (OWASP) publishes a list of the 10 most common software vulnerabilities. According to Veracode’s analysis, 69.8 percent of scanned applications did not pass the OWAPS top 10 policy test, with the applications vulnerable to one or more vulnerabilities. Over the last three years the pass/fail rate for the OWASP top 10 policy hasn’t changed much, Veracode said.

Veracode reported that the same top 10 vulnerability categories discovered with initial application scans from 2016 were once again the top 10 in 2017.

One of the Veracode top 10 vulnerabilities is SQL injection. Over the last five years, the percentage of scanned applications impacted by SQL injection has remained somewhat consistent, ranging from 27.6 percent to 32.2 percent.

Once an organization has had an initial application vulnerability scan, Veracode found varying rates of improvement when the same application was rescanned at a later date. With SQL injection, for example, on first scan 28 percent of applications were vulnerable, while on rescan only 23 percent were found to still be vulnerable.

Veracode found that 42 percent of flaws discovered during an initial scan remain unpatched. For the vulnerabilities that are patched, 28 percent take 90 days or more to remediate.

Organizations that embrace DevOps practices with frequent scanning have a better fix rate, Veracode found.