Nearly 32% of newly introduced enterprise applications contain security flaws from the first vulnerability scan, software security firm Veracode found in its latest annual State of Software Security Report, published on January 11, 2022.
While the report also shows what the Veracode researchers call a ‘honeymoon period’ that runs until a year and a half after introducing the applications, where fewer flaws are found to be introduced in the applications’ code; this number picks up again after a longer period.
By the time they have been in production for five years, nearly 70% of applications contain at least one security flaw.
“What it shows is that, as they get further along in the applications lifecycle, there’s something that allows the applications to get worse, whether it’s the composition of the teams or developers moving on and off or the codebase just getting more complex,” Chris Eng, chief research officer at Veracode, told Infosecurity.
No Correlation Between Flaw Introduction and the Code Length
Veracode’s researchers, however, found no direct correlation between the growth of an application – when its code gets longer – and the rate of flaw introduction.
Based on these findings, Veracode concluded that “developer training, use of multiple scan types, including scanning via API, and scan frequency are influential factors in reducing the probability of flaw introduction, suggesting teams should make them key components of their software security programs”.
“For example, skipping months between scans correlates with an increased chance that flaws will be found when a scan is eventually run,” a spokesperson said in a statement.
Furthermore, top flaws in apps vary by testing type: for instance, server configuration flaws accounted for 96.5% of vulnerabilities identified by Veracode’s dynamic analysis but for only 11.1% of their static analysis.
This result “highlights the importance of using multiple scan types to ensure hard-to-identify flaws aren’t missed,” the Veracode spokesperson said.
Software Composition Analysis is Vital
With a heightened focus on the software bill of materials (SBOMs) over the past year, a requirement that was part of President Biden’s 2021 executive order Improving the Nation’s Cybersecurity, Veracode’s research team also examined 30,000 open-source repositories publicly hosted on GitHub.
Of those examined, 10% of them hadn’t had a commit – a change to the source code – for almost six years.
“Using a software composition analysis (SCA) solution that leverages multiple sources for flaws, beyond the National Vulnerability Database, will give advance warning to teams once a vulnerability is disclosed and enable them to implement safeguards more quickly, hopefully before exploitation begins. Setting organizational policies around vulnerability detection and management is also recommended, as well as considering ways to reduce third-party dependencies,” Eng recommended.
Veracode’s report was based on 750,000 enterprise applications across all sectors, scanned using three methods: static analysis, dynamic analysis and software composition analysis (SCA).