Beware of security debt in your software

Read time 3min 20sec

It often takes companies about a month longer for vulnerabilities in open sourced software to be fixed than software that is sourced internally. Insourced software records the highest fix rates, but even software sourced from external contractors gets fixed faster, by about two weeks, than open sourced software.

That was one of the key findings in application security testing solutions provider, Veracode’s latest State of Software Security (SOSS) report – volume  10 of the software security company’s flagship report.

Data used in the compilation of the report was obtained from more than 85 000 applications and over 2 trillion lines of code across more than 2 300 large and small companies, commercial software suppliers, open source projects, and software outsourcers from around the world.

According to the report’s authors, Tim Jarrett, Chris Wysopal and Chris Eng, issues around software security have not changed in many respects since the first SOSS report was published a decade ago.

The first SOSS report noted that software was “very insecure” and the same applied today. However, certain things had improved, not least of which was the fact that organisations were increasingly focused on not just finding security vulnerabilities, but fixing them, and prioritising the flaws that put them most at risk.

“The data shows companies are fixing a higher percentage of flaws than ever before,” said Wysopal, cofounder and CTO at Veracode. “However, the report also shows us there is plenty of room for improvement, specifically when it comes to the issue of mounting security debt. Like credit card debt, even carrying a small balance forward on a recurring basis can quickly leave you in a hole.”

Security debt — defined as aging and accumulating flaws in software — is emerging as a significant problem for most organisations. About half of applications are accruing debt over time, a quarter are driving it down, and another quarter are breaking even.

The report also noted that the longer flaws stick around, the lower the chance that they will be corrected, which adds to an organisation’s security debt.

Nevertheless, while the overall prevalence of flaws rose 11% in the past 10 years, the proportion of those flaws assessed to be of high severity dropped 14% over the same period.

“The data shows developers are very likely to fix high severity flaws so there is solid evidence that development teams are getting better at figuring out which flaws are the most important to fix first,” said Chris Eng, Chief Research Officer at Veracode.

While the majority of flaws get fixed, the time typically required to fix them shows no change in the past decade – 59 days on average in 2010 and 59 days in 2019 – with open source taking even longer.

However, this does not imply that open source is a greater risk to enterprise software security despite the fact that open source components make up to between 60 and 80% of the code base in modern applications.

...there is solid evidence that development teams are getting better at figuring out which flaws are the most important to fix first.

Chris Eng, chief research officer at Veracode

In Security Boulevard’s e-book “Open Source Security: Weighting the Pros and Cons”, author Joan Goodchild concludes that open source is neither more nor less secure than proprietary software, with the security of each piece of software dependent on the security team maintaining it.

“When bugs do arise, fixes are usually available immediately. To use open source securely, it is essential for organisations to conduct regular analysis to find out what components are built into their applications and if any contain vulnerabilities.

“Maintaining proper security hygiene with regular, automated scanning for bugs, as well as developing an internal culture that fosters collaboration between security and development teams will help mitigate risks from using open source,” Goodchild concluded. 

Login with