Do You Have Software Security (Technical) Debt Piling Up?
Veracode makes software that tests your software for vulnerabilities. Software developers use Veracode’s product to see if their software is vulnerable.
Here is some information based on scanning over one million applications:
Veracode says that AI-Generated code brings security bugs at scale and will likely add to security or technical debt. AI tools might also be able to remediate some of that debt.
They found a considerable number of flaws in third party code, so if you are not testing the libraries and other third-party code that goes into your software, that is a problem.
High-severity flaws dropped from 38% of applications in 2016 to 18% of tested applications in 2023. That could be because their customers are the ones who are motivated to fix the debt. It is unclear what the statistics would be if we were able to scan ALL applications. The one million apps scanned is a small percentage of the total number of apps out there.
3.2 % of ALL flaws were found to be highly severe (a score of more than 9 out of 10), almost 16% of those flaws were very likely to be exploited.
That means, they say, that slightly less than 1% of all flaws detected in 2023 were both critical and highly exploitable. But that doesn’t get you off the hook.
80% of all active applications tested had unresolved flaws.
Third-party code was actually a little buggier than your own code. 63% of first-party code had bugs while 70% of third-party code was buggy.
Software security debt, which Veracode defines as any flaw that has persisted without remediation for over a year, was found in almost half of all applications.
The picture is a little different when critical security debt (non-remediated critical flaws) is taken into account. “A large majority of organizations (71%) have security debt at some level,” according to the research. “And close to half of all firms (46%) have high-severity persistent flaws that we’ll classify as critical security debt.”
A quarter of organizations with security debt have security debt in less than 17% of applications, with a quarter of them having debt in more than 67% of applications, the research noted. On average, almost half of all the flaws (47%) an organization has can be attributed to security debt.
Remember that these statistics only include companies that are willing to spend several thousand dollars a year to license Veracode’s software. These companies are more likely to fix their bugs than those that don’t even look for bugs.
While there are tools that you can use to detect security debt, it is up to you to fix that debt and sometimes it is both hard and expensive.
If you need help with this, please contact us. Credit: CSO Online