Veracode released this year’s State of Software Security (SOSS) Volume 11 report, which revealed that most applications have at least one security flaw. The report also found that software teams take about six months to fix half of the security flaws discovered.
SOSS 11 found that software teams have control over some factors, while others were beyond their control. Veracode categorized these factors as “nature vs. nurture.”
The report analyzed over 130,000 active applications from the company’s base of over 2,500 clients.
Key findings for State of Software Security (SOSS) Volume 11 report
Over three-quarters (75.8%) of applications have at least one security flaw, while 23.7% have high severity flaws.
About 60% of applications tested have at least one vulnerability appearing on the OWASP Top 10 vulnerabilities. Another 59% contain at least one vulnerability, appearing on the SANS 25 list. Overall, OWASP and SANS vulnerabilities were present in 65.8% and 58.8% of tested software, respectively.
Open source libraries introduce more bugs
Open source libraries were a predisposing factor, according to Veracode. The report noted that 70% of applications transfer at least one flaw from their open source libraries.
Similarly, 30% of applications have more flaws in their open source libraries than in-house code. An example is the Instagram bug (CVE-2020-1895) originating from Mozjpeg open source library used in uploading pictures.
Software scanning and test automation reduces security flaws
Multiple scan types can improve efficacy of DevSecOps, according to the SOSS 11 report. Software teams combining scan types such as dynamic analysis (DAST), static analysis (SAST), and software composition analysis (SCA) have higher fix rates. For example, teams applying SAST and DAST fix half of flaws 24 days faster.
Employing software security testing automation in the SDLC fixes half of the flaws 17.5 days faster.
Fixing software security debt pays off
Reducing security debt by fixing the backlog of known faults reduces software security risk, the report noted. Older applications with higher security flaws density take longer to fix, with an average of 63 more days required to close half of the flaws.
Chris Eng, Chief Research Officer at Veracode, said that software security aimed to find and fix the faults rather than write a perfect application.
“Even when faced with the most challenging environments, developers can take specific actions to improve the overall security of the application with the right training and tools,” Chris added.
Software security flaws are programming language dependent
The nature and severity of security flaws are unique to the programming language used in creating the application.
Overall, 59.3% of applications developed using C++ had “high severity” flaws. Other coding languages plagued with high severity bugs are PHP (52.6%), .NET (25.0%), and Java (23.8%). Python and JavaScript had the lowest high severity security flaws rate at 9.6 and 8.6%, respectively.
The most prevalent software security flaws per programming language were information leakage in .NET applications (62.8%), Cross-Site Scripting (XSS) in PHP (74.6%) and JavaScript (31.5%), CRLF Injection in Java (64.4%), and cryptographic issues in Python (35.0%). Error handling remained the most common security flaw in 66.5% of C++ applications.
The report authors recommended that software developers adopt “secure coding practices” and understand the most common type of flaws per language to increase software security.
Common and uncommon software security flaws
While some software security flaws were more severe, for example, buffer overflow, they were rare.
Top security flaws include information leakage (65.9%), CRLF injection (65.4%), cryptographic issues (63.7%), and code quality (60.4%). While credentials management, insufficient input validation, directory transversal, and Cross-Site Scripting (XSS) had a prevalence of around 48%.