1State of Software Security Shows Little Change From 2016
When building and deploying applications, developers continue to make same security errors year after year, according to a new study from Veracode. The 44-page Veracode 2017 State of Software Security (SOSS) report was released on Oct. 18, providing insight from 400,000 software assessments conducted by Veracode between April 1, 2016, and March 31, 2017. Among the high-level findings in the report is that the same classes of vulnerabilities continue to be found in similar percentages in the last several years. Of note, Veracode found that 88 percent of Java applications that were scanned had at least one vulnerable component. In this slide show, eWEEK looks at some of the highlights from Veracode’s latest State of Software Security report.
2Java Applications at Risk
Nearly 88 percent of scanned Java applications had at least one vulnerability in a component, according to findings in Veracode’s SOSS report. The likely reason why so many Java components were vulnerable is due to the fact that developers don’t patch components in production as new versions of Java components are released, the report said.
3Most Apps Are Vulnerable to OWASP Top 10 Security Flaws
Each year, the Open Web Application Security Project (OWASP) publishes a list of the 10 most common software vulnerabilities. According to Veracode’s analysis, 69.8 percent of scanned applications did not pass the OWAPS top 10 policy test, with the applications vulnerable to one or more vulnerabilities. Over the last three years the pass/fail rate for the OWASP top 10 policy hasn’t changed much, Veracode said.
4Top 10 Vulnerabilities Remain Unchanged in 2017
5SQL Injection Rates Remain Static
6Vulnerabilities Decrease on Rescan at Different Rates
Once an organization has had an initial application vulnerability scan, Veracode found varying rates of improvement when the same application was rescanned at a later date. With SQL injection, for example, on first scan 28 percent of applications were vulnerable, while on rescan only 23 percent were found to still be vulnerable.
7Most Flaws Take More Than 90 Days to Close
8DevOps Practices Improve Security
Organizations that embrace DevOps practices with frequent scanning have a better fix rate, Veracode found.