A new study notes that business applications are becoming increasingly insecure. The number of (code) errors is increasing, it takes longer to fix them, and relatively many problems occur, especially in third-party and open-source code.
Business application security is getting worse, Veracode researchers note in the annual State of Software Security (SoSS) report. They base their findings on a comprehensive dataset of 1.3 million unique business applications and 126.4 million raw data. About half of the respondents experience problems due to vulnerable applications.
Errors increased
The number of business applications with severe flaws has increased by 181 percent over the past five years, the software security specialist says in the survey. Meanwhile, 80.3 percent of applications contain a flaw. Furthermore, 47.7 percent of applications have a Top 10 application risk vulnerability.
These include broken access control, cryptographic errors, injection vulnerabilities, security misconfiguration or vulnerable and outdated software components.
In addition, the time it takes to resolve these problems has increased 47 percent over the past year. Compared to five years ago, it has even increased by 327 percent. Overall, it now takes an average of 252 days to fix a software bug, up from 171 days in 2020.
Especially third-party and open-source code
According to the researchers, many of the bugs found are in third-party code. Libraries or software components from third-party vendors contain errors in 70 percent of cases, and code written specifically for an application contains errors in 64 percent of cases.
Errors in third-party code also tend to have more severe consequences. Especially since three out of 10 companies surveyed indicated that 96 percent of their critical security problems stem from third-party code.
Furthermore, even open-source code, although only used in a small percentage of cases, often contains errors. In addition, it takes significantly longer to fix errors in open-source code. This process takes an average of 12 months, compared with eight months for first-party code.
Possible causes of problems
Finally, the researchers indicate why third-party code is often more vulnerable than first-party code. This is because, for example, libraries have many dependencies that cannot all be easily updated. Another problem is that refactoring an application or replacing a library with a more secure option can create complications.
Also, open source projects may be less active and poorly maintained.
Also read: Veracode strengthens software security with acquisition of Phylum technology