A recent study by Veracode has revealed alarming statistics about the prevalence of security flaws in actively used applications. According to the study, a staggering 80% of all active applications were found to have unresolved flaws when assessed using Veracode’s SAST, DAST, and SCA scans. Even when using SAST-only scans, which specifically examine issues in the development phase of applications, 73% of applications were found to have unresolved flaws.
Interestingly, the study found that flaws detected in third-party, open-source components were just as common as those found in first-party code. In fact, 63.4% of applications were found to have flaws in first-party code, while 70.2% of applications had flaws in the third-party code. This indicates a need for deeper scanning of both sources in the software supply chain, particularly as AI adoption continues to grow.
The study also revealed that, on average, a typical application has 42 flaws for every 1 MB of code. Among the top flaws found in applications with high intensity and volume were cross-site scripting, injection, path traversal, and vulnerable and outdated components.
One of the most concerning findings of the study was the prevalence of software security debt. This refers to any flaw that has persisted without remediation for over a year. Shockingly, the study found that 42% of all applications were burdened with security debt. Even when including applications less than one year old, 23% of applications still had unresolved security flaws, bringing the total percentage of applications with flaws to 57%.
The situation becomes even more dire when critical security debt is taken into account. According to the research, a whopping 71% of organizations have some level of security debt, with 46% of them having high-severity persistent flaws classified as critical security debt.
The distribution of security debt among organizations varies significantly. While a quarter of organizations have security debt in less than 17% of applications, another quarter of them have debt in more than 67% of applications. On average, almost half of all the flaws (47%) an organization has can be attributed to security debt.
Overall, the study’s findings paint a concerning picture of the state of software security. With the majority of applications found to have unresolved flaws and a high prevalence of security debt, organizations must prioritize the identification and resolution of security issues in their software supply chain. Ignoring these issues could leave organizations vulnerable to cyberattacks and data breaches, ultimately putting their sensitive information and that of their customers at risk.