Veracode, a leading provider of intelligent software security, has released research indicating that applications developed by organizations in Europe, the Middle East, and Africa (EMEA) tend to contain more security flaws than those created by their counterparts in the United States. The study also found that EMEA has the highest percentage of “high severity” flaws, which would cause critical issues for businesses if exploited. This is a significant concern as software supply chain cyberattacks dominate headlines in 2023.
According to the research, over 80% of applications developed by EMEA organizations had at least one security flaw detected in their most recent scan over the last 12 months. In comparison, just under 73% of U.S. organizations had security flaws in their applications. Furthermore, the percentage of applications containing “high severity” flaws in EMEA was almost 20%, the highest across all regions analyzed.
Chris Eng, Chief Research Officer at Veracode, highlighted the findings, stating, “Our data shows that organizations globally are continuing to deploy a worrying number of applications with a high number of flaws in the CWE Top 25. We did, however, identify interesting regional differences, particularly in terms of third-party or open-source code usage and the ways in which vulnerabilities are introduced across the application lifecycle.”
Veracode’s latest annual report on the State of Software Security is based on the analysis of data collected from over 27 million scans across 750,000 applications. The report focuses on the EMEA-specific findings from scans and applications in countries such as the UK, Germany, France, Italy, and across the Middle East and Africa.
The consequences of hackers exploiting software vulnerabilities are significant. With EMEA organizations using a complex mix of third-party software, the exploitation of a serious vulnerability can impact thousands of victims at once. Earlier this year, a vulnerability affecting printing software tools PaperCut MF and PaperCut NG was actively abused by threat actors, potentially impacting up to 70,000 organizations in 200 countries. It is crucial to address these vulnerabilities to protect businesses and individuals from cyber threats.
The research also identified notable regional differences in preferred language usage, with Java being the preferred language for developers in EMEA. However, teams using Java were found to remediate flaws at a slower rate than those using .NET or JavaScript, leading to a higher percentage of vulnerabilities in applications in the region. This is particularly concerning as over 95% of Java applications are comprised of third-party or open-source code. The use of software composition analysis (SCA) to detect flaws in open-source code is crucial to mitigate these vulnerabilities.
As generative AI becomes more prevalent in software development, the risk of vulnerabilities from external sources increases. A study presented at Black Hat in 2022 showed vulnerabilities in 40% of code written by large language models trained on unrefined data, including millions of public GitHub repositories. Therefore, organizations must leverage SCA tools to find and fix flaws while still being able to take advantage of AI without compromising application security.
The research also revealed that new flaws continue to be introduced into EMEA applications at a higher rate than in other regions throughout the application lifecycle. While EMEA organizations update their applications, there is less focus on maintaining quality. After a five-year timespan, 50% of applications in EMEA continue to introduce new flaws, compared to just over 30% for the rest of the world. This highlights the need for EMEA organizations to pay more attention to the latter portion of the application lifecycle and regularly scan applications for vulnerabilities. Additionally, security training for developers is essential, as completing 10 interactive security labs reduces the probability of flaw introduction from 27% to about 25% in any given month.
Chris Eng emphasized the importance of addressing these security concerns, stating, “This year’s State of Software Security report shines a light on the importance of security across the entire software lifecycle, as well as the urgent need to address risks posed by third-party and AI-generated code. Development teams in the EMEA region must take the opportunity to automate software security for regular scanning and carefully consider their use of AI tools to increase security and empower developers.”
Veracode’s State of Software Security EMEA 2023 report recommends various actions that software development teams in the region can take to improve their cybersecurity posture. The report is available for download on Veracode’s website.
Overall, the findings from Veracode’s research highlight the need for organizations in EMEA to prioritize software security, particularly in terms of addressing vulnerabilities in third-party code, improving application quality, and leveraging security tools to mitigate risks. By taking proactive measures, businesses can enhance their cybersecurity and reduce the potential impact of cyberattacks.