A recent report by Veracode has revealed that 42% of applications and 71% of organizations suffer from security debt, which refers to flaws that remain unfixed for more than a year. The report also highlights that 46% of organizations have persistent, high-severity flaws that constitute critical security debt, putting businesses at risk in terms of confidentiality, integrity, and availability.
The study found that 63% of applications have flaws in first-party code, while 70% contain flaws in third-party code imported via third-party libraries. This underscores the importance of testing both types of code throughout the software development life cycle. Additionally, the report noted that fixing third-party flaws takes 50% longer, with half of the known flaws fixed after 11 months, compared to seven months for first-party flaws.
On a more positive note, the report also indicated that high-severity security flaws in applications have decreased by half since 2016, which suggests progress in software security practices and the impact of speed of remediation on critical security debt.
Chris Eng, Chief Research Officer at Veracode, emphasized the importance of addressing security debt head-on by prioritizing flaw remediation, focusing on third-party code security, and adopting efficient development practices. He warned that despite the speed and efficiency AI brings to software development, it does not necessarily produce secure code. Research has shown that 36% of code generated by GitHub CoPilot contains security flaws, posing a significant risk to organizations and the software supply chain.
The report also highlighted the constrained remediation capacity among teams, with only 64% of applications having sufficient remediation capacity to eliminate critical security debt. Even in cases where teams’ fix capacity is sufficient, they are not prioritizing critical flaws, as only two out of ten applications show an average monthly fix rate that exceeds 10% of all security flaws.
However, there is hope for success, as only 3% of all flaws constitute critical security debt, representing the largest risk exposure for applications. By prioritizing that 3%, organizations can achieve maximum risk reduction with focused effort.
Eng concluded by highlighting the potential for AI to pave the way for a new frontier in software security by empowering organizations to scale remediation efforts and more easily address the long backlog of security debt, as well as new flaws that emerge.
Overall, the report serves as a wake-up call for organizations to address their security debt and enhance the overall state of software security. It underscores the need for proactive and focused efforts to prioritize flaw remediation, address third-party code security, and adopt efficient development practices in order to reduce security debt and mitigate risks to businesses.