Veracode Report Tracks Security Flaws Over the Application Lifecycle

More than 74 percent of applications have at least one security flaw, according to Veracode's 2023 State of Software Security (https://www.veracode.com/state-of-software-security-report) report. Additionally, 69 percent have at least one OWASP Top 10 flaw (https://owasp.org/www-project-top-ten/), and more than 56 percent have at least one Common Weakness Enumeration (CWE) Top 25 flaw (https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html).

Application scanning, the report notes, can help shed light onto the types of flaws that exist as well as the occurrence of flaws over the application lifecycle.

"While over 30 percent of applications show flaws at the first scan, this number drops to approximately 22 percent shortly after, before rising to 30 percent again at four years. The number of applications with new flaws then increases further to approximately 35 percent of applications over four and a half years old," the report says.

Although applications grow at about 40 percent per year, the report says, "that trend is not matched by a commensurate number of new flaws. To the contrary, close to 80 percent of applications do not introduce flaws at all during this early life cycle phase."

The report takes a deep dive into flaws occurring in Java, JavaScript, and .NET applications while also offering common sense advice for improving security. Overall, being informed and then vigilant is key, the report says.

Malware Remains Top Cause of Cybersecurity Incidents

Malware was responsible for 40 percent of confirmed cybersecurity incidents in 2022, as measured by Orange Cyberdefense and detailed in a recent report. According to the Security Navigator 2023 report (https://www.orangecyberdefense.com/global/security-navigator), "Network & Application Anomalies" was the second highest incident type at 19 percent, followed by "System Anomalies" at 11.5 percent.

The report also states that "large" organizations (>10,000) had five times more confirmed incidents than small or medium-sized organizations. "In total large organizations were responsible for 72 percent of the confirmed incident count in 2022."

The free, 64-page report details threats by type, industry vertical, and geographic region, along with responses and insight about how to protect your organization. This information, says Laurent CÈlÈrier, helps "identify the underlying trends that are being confirmed (for example, the untenable pressure of vulnerabilities, with an average patching time that we observe to be 215 days), the technical and geographical evolutions (particularly in terms of ransomware), but also to study the scope and impact of the major events that marked the past year, whether geopolitical (war in Ukraine) or technical (Log4j crisis)."

Specifically, the report's vulnerability scan data shows that:

• Twenty-eight percent of all findings are addressed in fewer than 30 days.
• Seventy-two percent of all findings take 30 days or more to patch.
• Fifty-two percent of all findings take 90 days or more to patch.
• The average age of findings is 215 days.

In terms of vulnerability management, the report also notes that "an average of 50 new vulnerabilities are discovered every day so … it's impossible to patch them all." What's important, says MÈlanie PilprÈ, is "focusing on the real risk using vulnerability prioritization to correct the most significant flaws and reduce the company's attack surface the most."