App Developers Continue to Make Same Security Errors, Report Finds | eWeek

State of Software Security Shows Little Change From 2016

Software security
Oct 23, 2017
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More


State of Software Security Shows Little Change From 2016

1 - State of Software Security Shows Little Change From 2016

When building and deploying applications, developers continue to make same security errors year after year, according to a new study from Veracode. The 44-page Veracode 2017 State of Software Security (SOSS) report was released on Oct. 18, providing insight from 400,000 software assessments conducted by Veracode between April 1, 2016, and March 31, 2017. Among the high-level findings in the report is that the same classes of vulnerabilities continue to be found in similar percentages in the last several years. Of note, Veracode found that 88 percent of Java applications that were scanned had at least one vulnerable component. In this slide show, eWEEK looks at some of the highlights from Veracode’s latest State of Software Security report.


Java Applications at Risk

2 - Java Applications at Risk

Nearly 88 percent of scanned Java applications had at least one vulnerability in a component, according to findings in Veracode’s SOSS report. The likely reason why so many Java components were vulnerable is due to the fact that developers don’t patch components in production as new versions of Java components are released, the report said.


Most Apps Are Vulnerable to OWASP Top 10 Security Flaws

3 - Most Apps Are Vulnerable to OWASP Top 10 Security Flaws

Each year, the Open Web Application Security Project (OWASP) publishes a list of the 10 most common software vulnerabilities. According to Veracode’s analysis, 69.8 percent of scanned applications did not pass the OWAPS top 10 policy test, with the applications vulnerable to one or more vulnerabilities. Over the last three years the pass/fail rate for the OWASP top 10 policy hasn’t changed much, Veracode said.


Advertisement

Top 10 Vulnerabilities Remain Unchanged in 2017

4 - Top 10 Vulnerabilities Remain Unchanged in 2017

Veracode reported that the same top 10 vulnerability categories discovered with initial application scans from 2016 were once again the top 10 in 2017.


SQL Injection Rates Remain Static

5 - SQL Injection Rates Remain Static

One of the Veracode top 10 vulnerabilities is SQL injection. Over the last five years, the percentage of scanned applications impacted by SQL injection has remained somewhat consistent, ranging from 27.6 percent to 32.2 percent.


Vulnerabilities Decrease on Rescan at Different Rates

6 - Vulnerabilities Decrease on Rescan at Different Rates

Once an organization has had an initial application vulnerability scan, Veracode found varying rates of improvement when the same application was rescanned at a later date. With SQL injection, for example, on first scan 28 percent of applications were vulnerable, while on rescan only 23 percent were found to still be vulnerable.


Most Flaws Take More Than 90 Days to Close

7 - Most Flaws Take More Than 90 Days to Close

Veracode found that 42 percent of flaws discovered during an initial scan remain unpatched. For the vulnerabilities that are patched, 28 percent take 90 days or more to remediate.


DevOps Practices Improve Security

8 - DevOps Practices Improve Security

Organizations that embrace DevOps practices with frequent scanning have a better fix rate, Veracode found.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.