While the past few years have seen great improvements in software security, there are still consistent and concerning flaws being seen over and over again. The 2018 State of Software Security report from CA’s Veracode division found that despite added security features, applications still have extreme vulnerabilities that aren’t being addressed.
The good news is that the SOSS report found that 69% of discovered flaws were mitigated by organizations, which is up 12% from last year. Unfortunately, more than 85% of all scanned applications still showed that they had at least one major vulnerability when scanned.
To compile this data, Veracode scanned more than two trillion lines of code and looked at a customer base of about 2,000 organizations. And while the report shows 69% of found flaws were being taken care of, that means there are still 31% of flaws that aren’t being patched.
Even with between 75% and 80% of malicious attacks coming from internal threats, companies still need to be concerned about these flaws remaining open. According to Chris Eng, vice president of research at CA Veracode, the closure rate for known flaws reaches just below 30% in the first month of finding a vulnerability. And after three months, only about 45% of all flaws are being closed and addressed.
“It is crucial for organizations to understand how many flaws in their software remain open and how long it takes them to address those flaws,” explained Eng. “This year, we’ve taken a closer look at our customers’ fix rate, and when we look at the curve for the average fix velocity from the first day of discovery, we see that it takes organizations a lengthy amount of time to address the majority of their flaws.”
Unfortunately, flaws and vulnerabilities aren’t always easy to fix. Eng also explained that because organizations can see a large number of flaws, they often have to choose between added security and practicality and speed. There are sometimes just too many vulnerabilities for companies to address. But in this case, focusing on the biggest and riskiest vulnerabilities should be a priority for companies.
So how can organizations better protect their applications and reduce vulnerabilities? For starters, it’s important to invest in the right type of technologies and software. Understanding the differences between certain systems, like how 2D barcodes can hold more complex information than 1D barcodes, can be a good place to start. Additionally, organizations should be creating more awareness within their development departments about recurring flaws. And lastly, finding the best and most effective way to prioritize which vulnerabilities receive attention first is essential. Leaving major vulnerabilities open can be disastrous.
While software security is slowly but surely improving, this report shows that there are still several vulnerabilities, flaws, and problems that companies should be on the lookout for.