Veracode’s latest State of Software Security (SoSS) report has brought to light some troubling trends in software security vulnerabilities. The report reveals that organizations are taking significantly longer to fix these vulnerabilities, with the average time to address them now standing at eight and a half months. This marks a 47% increase over the past five years, painting a grim picture of the state of software security today.
One of the primary reasons behind this delay, as outlined in the report, is the increasing reliance on third-party code and the emergence of AI-generated code. These factors have led to a more complex software ecosystem that is harder to secure, contributing to the prolonged fix times observed in the industry. This shift is stark when compared to the situation 15 years ago when the fix time was nearly three times faster.
A notable concern highlighted in the report is the accumulation of critical security debt within organizations. Shockingly, 50% of all organizations have vulnerabilities that have gone unaddressed for over a year, with critical vulnerabilities making up 70% of this backlog. The prevalence of critical flaws, many originating from third-party code, underscores the risks associated with vulnerabilities in software supply chains. Despite initiatives to bolster security measures, a significant portion of organizations, around 74.2%, continue to grapple with security debt encompassing various severity levels of flaws.
The report also sheds light on the disparities in how organizations handle security flaws. The top 25% of companies are able to address more than 10% of their software vulnerabilities every month, while the bottom 25% struggle to tackle even 1%. Additionally, mature organizations exhibit security debt in only 17% of their applications, contrasting starkly with less mature counterparts burdened with security debt in over 67% of their applications. This discrepancy underscores the varying levels of maturity in vulnerability management practices across the industry.
Amidst these concerning statistics, there are some positive trends to note. The report reveals a 63% increase in the number of applications free from flaws listed in the OWASP Top 10 vulnerabilities over the past five years. Moreover, the prevalence of high-severity flaws has been halved since 2016, showcasing gradual improvements in security protocols. Nonetheless, with critical vulnerabilities still present in over half of all applications, it is evident that there is a pressing need to enhance security practices to combat the evolving threats in today’s software landscape.
In conclusion, while there have been some strides towards improving software security, the findings of Veracode’s SoSS report emphasize the persistent challenges faced by organizations in securing their software assets. As the complexity of software ecosystems continues to grow, it is imperative for companies to prioritize proactive security measures to mitigate risks and safeguard their digital infrastructure effectively.