Veracode: 75% Of Apps Have at Least One Vulnerability on Initial Scan

  /     /     /  
Publicated : 22/11/2024   Category : security


Veracode: 75% Of Apps Have at Least One Vulnerability on Initial Scan


But developers not the only ones to blame, company says.



Application security continues to stink at many organizations, a new report from Veracode shows. But developers are not the only ones to blame. 
A failure by organizations to provide adequate security training and by operational teams to address vulnerabilities in the production environment have a big impact on application safety as well, the company said.
Veracodes
State of Software Security 2017
report is based on a code-level analysis of nearly 250 billion lines of code across 400,000 assessments conducted for 1,400 customers between April 2016 and March 2017.
The analysis showed more than 75% of the applications having one or more security vulnerabilities in code written by the development team, on initial scan. About 12% had either a very-high-severity or a high-severity flaw on first scan. A startling 88%, nearly nine out of 10, Java applications had at least one serious component-level flaw.
[See Veracodes vice president of research Chris Eng discuss Security, Application Development and DevOps at DarkReadings upcoming
INsecurity Conference
, Nov. 29-30 in the D.C. area.]
Veracodes 2017 analysis found applications riddled with the same vulnerabilities that it uncovered last year. Information leakage flaws were most common and were present in more than 65% of the applications in which a security bug was found on initial scan. About 62% had cryptographic flaws while 56% had what Veracode described as code quality issues.
The Top 10 list of most frequent vulnerabilities on initial scan this year was identical to the list of top flaws last year and suggested that organizations are continuing to grapple with the same issues as they have been for quite some time.
This year’s study included confirmation of trends we’ve seen for a while, says Tim Jarrett, senior director of product marketing at Veracode. But there were also some surprises, he says.
The analysis, for instance showed accelerating adoption of scanning earlier in the software development lifecycle, he says. The number of organizations doing at least 12 scans per year ticked up slightly from 10.5% to 11.1%. Over 36% though continued to do just one scan per year.
There was also evidence that findings, which are prioritized by a policy, for instance higher severity findings, get fixed about twice as often as do findings not prioritized by policy, Jarrett says.
We see evidence that scan frequencies are increasing, with a 3% to 4% increase in applications scanning at least daily, he says. [Such] frequent scanning is a sign of both early-lifecycle scanning and automated scanning. But the majority of applications are still only being tested quarterly—or less frequently. There’s plenty of room for improvement, he notes.
Developers, according to Veracode, are not the only ones to blame for the continuing struggles with applications that many organizations appear to be having.
It’s time to put the lazy developer trope to bed, the company noted in its report.  It may be easy for cybersecurity pros to blame AppSec woes on indifferent, uncaring, or slothful coders. But the reality is very different, Veracode said.
Operational teams for instance have a part in undermining application security as well. When Veracode took a look at the overall hygiene of the production environments at the organizations in its survey the company found an alarming number of vulnerable servers running production applications.
When Veracode queried the public-facing web applications of the companies in its report, it discovered nearly 25% of the sites operating on web servers with one or more vulnerabilities with a CVSS rating of 6 or higher. Nearly 19% had web servers that were at least a decade old.
At many organizations developers also simply dont get the security training they require. Few managers consider a software developers security skills as an important metric when evaluating performance, the application security vendor noted.
The Veracode report quoted a previous study the company had sponsored, in which 68 percent of developers and IT pros said their organizations did not provide adequate security training. Some 76% in that survey said they had not been required to take a single security course in college. Another study that Veracode conducted with analyst firm Enterprise Strategy Group showed a high-level of awareness about the importance of security knowledge among development teams. But only 18% said security was the most important metric for measuring developers’ performance, Veracode said.
Related content:
Why Your AppSec Program Is Doomed to Fail & How to Save It
98% of Companies Favor Integrating Security with DevOps
Software Assurance: Thinking Back, Looking Forward
7 Steps to Transforming Yourself into a DevSecOps Rockstar
 

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Veracode: 75% Of Apps Have at Least One Vulnerability on Initial Scan