The software analysis took in almost 1,600 internally developed, open source and commercial applications and is quite wide-ranging in its scope.
The research is notable because it looks at all possible attack vectors and electronic trickery, and found that between 58% and 88% of software submitted for verification did not achieve an acceptable security score.
Infosecurity notes that the most interesting aspect of this Veracode survey is that it found that open source software has comparable security and remediation than commercial applications.
In addition, researchers found that open source software scored better than commercial apps when it came to potential backdoors.
Veracode's 'State of Software Security' report is billed as the first report of its kind to provide security intelligence derived from multiple testing methodologies (static, dynamic and manual) on the full spectrum of application types (components, shared libraries, web and non-web applications) and programming languages (including Java, C/C++ and .NET) from every part of the software supply chain.
According to the company, it represents intelligence gleaned from analyzing billions of lines of code submitted to Veracode for independent verification of software security from more than 15 industries.
Delving into the report reveals that third parties are the achilles heel in the software supply chain: 40% of all applications submitted at the request of large enterprises were from third parties, and more than 30% of all internally developed applications also included identifiable commercial, open source, and outsource code.
Yet, says the research, software-related industries recorded the lowest security scores on first submission to Veracode. In addition, the prevalence of C/C++ in both commercial and open source suppliers exposes system-compromising vulnerabilities to attackers.
"Because of the depth and breadth of the data in our platform, we have expansive knowledge about risk from all types of applications and across the software supply chain", said Matt Moynahan, CEO of Veracode. "The report not only analyzes the state of security more comprehensively than any others in this market, but it offers specific recommendations for each type of potential threat", he added.
"It's essential reading for security professionals and executives accountable for the software supply chain and its impact on the business."