A new Veracode report on application security finds that while things are generally getting better, some persistent problems remain, including the use of flawed open source and third-party code libraries.
That finding comes in the 12th State of Software Security report from the application security testing specialist. The report is based on data collected from Veracode services and customers, including millions of scans of various types. The report includes findings about applications that were subjected to static analysis, dynamic analysis, software composition analysis and/or manual penetration testing.
“Open source libraries are still a significant cause for concern,” the report says, referencing a persistent and well-documented problem that continues today. Part of that persistence might be attributable to developer habits.
“Most developers stick with the same libraries year over year,” says one section of the the report, while another says, “history is teaching us that we will experience the same types of flaws year after year.”
Nevertheless, the report notes that third-party libraries now have fewer flaws and that they’re getting addressed faster.
“On a positive note, there is a noticeable improvement in time to remediation for third-party flaws. Back in 2017, it would take over three years to get to the 50 percent (half-life) closed point and now it takes just over a year.”
In addition to looking at the use of software analysis tools and analyzing flaws in software, the report examines how flaws are fixed and looks into the future of secure software. Overall, things are looking up, as the report says, “The trend across all the applications is a general reduction in flaw prevalence.”
However, Veracode noted, increased connectivity of all kinds and the rise of connected, distributed microservices have complicated the app security picture.
“But it’s not just increased connectivity that’s shaping the security landscape — it’s the hypercompetitiveness and the need to constantly innovate,” the report says. “To move faster, many development teams have turned to native cloud technologies, microservices architectures and open source code to accelerate and scale their efforts. Additionally, development teams have adopted agile methodologies and are automating as many steps in the development process as possible.
“While this evolution increases the speed of the software development lifecycle, it also introduces new complexities and risks.”
Some highlights of the report include:
Those specific data points lead to four generalizations about the report’s findings:
“Security debt can build over time and addressing it early can help mitigate work down the road,” Veracode said. “Using multiple types of scanning — static, dynamic and software composition analysis — can give a fuller picture of an application’s security and it helps remediation happen more quickly and more completely.”
About the Author
David Ramel is an editor and writer for Converge360.
More Tech Library
Problems? Questions? Feedback? E-mail us.
Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…