Veracode’s latest State of Software Security report highlights that applications are, on average, more secure than ever.
Getting the negatives out the way first, the report warns about the devastating “domino effect” that one vulnerability can have on software across the globe.
One clear example of this in action was the SolarWinds attack in which hackers inserted malicious code into the company’s Orion software. Every company and organisation using Orion was left vulnerable—including Microsoft, Cisco, FireEye, Intel, NATO, the UK Government, European Parliament, and multiple US federal agencies.
On 12 May 2021, the Biden administration released an executive order introducing new regulations to improve the nation’s cybersecurity.
With the 12th edition of its annual report, Veracode set out to help leaders make informed decisions about how to improve their software security, minimise risk, and meet the new regulations. The result is 48 pages that are packed with useful insights.
In this article, we’ll cover just some of the highlights from Veracode State of Software Security Volume 12.
The software security landscape
Veracode highlights an industry shift towards one-language apps or microservices. In 2018, around 20 percent of apps used multiple languages. In 2021, that number plummeted to less than 5 percent.
Improved continuous testing practices have led to 90 percent of apps now being scanned more than once a week, with most being scanned three times per week. That’s a 20x increase from 2010 when apps were scanned just two or three times per year.
Despite the high-profile attacks over recent years, third-party libraries are less vulnerable than they’ve ever been. In 2017, 35 percent of libraries had a known flaw. In 2021, that was down to just 10 percent.
Large improvements have also been made in the average time taken to fix third-party flaws, although it’s clear that more needs to be done.
In 2017, it would take over three years to get to the 50 percent (half-life) closed point. Now, it takes just over a year. However, 77 percent of flaws remain unfixed after three months.
“It may seem absurd that it can be over a year before even half the flaws identified through SCA are closed — especially when we see flaws found through dynamic analysis lasting just under 5 months for the same half-life metric. But what if we told you that’s actually a great improvement?” wrote Veracode in its report.
The researchers point towards flaws found in SCA. In 2017, it would take over three years to get to the 50 percent (half-life) closed point.
However, given that 97 percent of Java apps use open-source libraries—the threat still remains of a large amount of software being left vulnerable for months, if not a year or more.
Third-party code usage by language
When analysing what languages use a higher proportion of third-party code, Veracode’s researchers found that Java “remains steadfastly mostly third-party code”, which has only increased in the last few years.
The use of third-party code for .NET applications surged from a low-digit percentage to over 50 percent in mid-2020. Veracode notes how the surge coincides “with the release of .NET 5 (formerly .NET core), which integrated and unified a good amount of functionality into a single framework.”
When it comes to JavaScript and Python, there’s little consistency. Veracode calls it “the barbell effect” with the trend line bouncing around as software is either mostly homegrown or mostly third-party code with little in-between.
The opposite is observed with PHP and C++, with software consistently leaning heavily towards homegrown code.
Veracode found that developers mostly stick with “tried-and-true libraries” rather than attempt to refactor their codebases to pick up the “coolest” or “most- popular” libraries.
Percentage of flawed libraries per language
Veracode set out to determine whether certain languages are more prone to flawed libraries than others, and the progress that has been made over the years in reducing the prevalence.
At around 12.5 percent, Java libraries have the most flaws on average. This is closely followed by Ruby at around 10 percent and Python around 5 percent.
PHP, JavaScript, and .NET all have the lowest prevalence of vulnerable libraries of the languages analysed with around 3 percent each.
Veracode highlights the notable progress for Java, JavaScript, and Python libraries in particular. Since 2017, vulnerable Java libraries have plummeted steeply from around 25 percent, Python from about 20 percent, and JavaScript from about 10 percent.
Software to fix software
Veracode found that organisations using dynamic scanning in addition to static were able to remediate 50 percent of flaws and, on average, 24 days faster. Furthermore, introducing software composition analysis (SCA) shaved a further six days off.
Here are the leading software weaknesses discovered by scan type:
(Credit: Veracode)
After several software attacks making national headlines – not just security and tech publications – it’s easy to get the perception that modern software is full of vulnerabilities.
While acknowledging that more still needs to be done, Veracode’s report finds that software is actually more secure than ever. After the past couple of years, I think we can all appreciate some positivity.
(Photo by John Schnobrich on Unsplash)
Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week taking place on 11-12 May 2022 and discover key strategies for making your digital efforts a success.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.