Some 60% of applications fail security policies on the first scan, according to the latest annual report from Veracode.
The app security firm’s seventh State of Software Security Report, which highlights the importance of following best practices in software development, draws on 300,000 code assessments over the past year and a half.
It lays much of the blame for insecure apps on the use of third party and open source components, which it said introduce unnecessary risk into the mix.
The firm claimed around 97% of Java apps contain at least one component with a known vulnerability.
The problem is the knock-on effect of using such components: Veracode revealed that one popular component containing a critical bug spread to another 80,000 components, which may have subsequently been used to develop millions of apps.
Veracode co-founder and CTO, Chris Wysopal, argued that the Java example shows how this kind of risk “can become an epidemic.”
“Organizations don’t have the luxury of assuming their software is secure,” he told Infosecurity by email. “The persistent use of components in software development has meant that security flaws continue to proliferate.”
But all is not lost. The report claimed that following a best practice approach to vulnerability remediation can work.
For example, the top 25% of companies appraised in the report fix almost 70% more security flaws than the average organization.
The use of sandbox technology can also boost security at the development stage, improving “policy-based vulnerability fix rates” by around twofold, according to the study.
“Organizations need to focus on integrating security into the development cycle, using techniques like remediation coaching and eLearning to improve vulnerability fix rates,” Wysopal continued.
“Our research found that companies employing remediation coaching see a 1.45x improvement in flaw density reduction, while those who arm their developers with eLearning opportunities see a 6x improvement in flaw density reduction through their remediation practices.”
The report also revealed that more and more firms are scanning apps multiple times during the development process – with seven tests the average per app.