When it comes to fixing software vulnerabilities, the newest flaws get fixed first and the older ones languish in the proverbial stack.
Companies are fixing a higher percentage of vulnerabilities than ever before, but the focus on fixing newer vulnerabilities mean older issues accumulate over time, Veracode said in its tenth State of Software Security report. The annual report includes applications analyzed by Veracode and determines how long it took for those issues to be fixed. This year's report included 85,000 applications from 2,300 companies, a more than 50 times increase from the 1,591 applications tested in the first year of the report.
On average, companies fixed 56 percent of all software security issues discovered between the first application security scan and the final scan, Veracode found. This results in "security debt," or the fact that the number of flaws increase in the application over time, Veracode said. Similar to technical debt, security debt increases the organization's risk for a breach because these forgotten flaws are what the attackers will target.
“Like credit card debt, even carrying a small balance forward on a recurring basis can quickly leave you in the hole," said Chris Wysopal, founder and CTO at Veracode.
Last year's report found that 70 percent of flaws were present in code one month after they were discovered, and 55 percent were present after three months. A quarter of high severity vulnerabilities were still present after 290 days (approximately nine and a half months). Developers fixed 76 percent of the most critical vulnerabilities and 69 percent of the slightly-less-critical-but-still-severe flaws.
However, if a vulnerability didn't get fixed initially, the chances of it getting fixed dropped. The longer a vulnerability remained in the application, the less likely it was to be corrected, the report found. About half of all applications surveyed accrued security debt over time, and a quarter broke even. Just a quarter of the applications were able to reduce security debt.
On the initial scan, 83 percent of the applications analyzed by Veracode had at least one security flaw, compared to 72 percent ten years ago. That doesn't necessarily mean that applications are more insecure initially now than they used to be. More applications are being tested, and current scanning tools are much more robust than they used to be, so it makes sense that more vulnerabilities are being discovered.
In fact, there are signs that the focus on secure coding and frequent testing may be paying off. Only 20 percent of applications scanned had high-severity flaws in the first scan, compared to 34 percent ten years ago. About 70 percent of the applications were able to show they had fewer vulnerabilities or had not introduced any new flaws by the final time the application was scanned.
"The data shows developers are very likely to fix high severity flaws so there is solid evidence that development teams are getting better at figuring out which flaws are the most important to fix first,” said Chris Eng, chief research officer at Veracode.
The frequency of software security scanning has a direct impact on response times to fixing the flaws, the report found. Organizations that scanned applications less than once a month typically required a median time of 68 days to address the security issues. Organizations that scanned their applications daily required just 19 days. Daily scanning remains uncommon, however.
Only a third of the applications in Veracode's study were scanned two and six times a year, while another third were scanned just once a year. Less than 1 percent of the applications were scanned 260 times or more in a year.
Security debt doesn't mean the developers are bad at managing vulnerabilities. It just means organizations should think about how frequently they should be testing the software application.
The fact that frequently scanning an application can reduce security debt indicate that DevSecOps can play a role in reducing security debt in an organization, Veracode said.
“Development teams can’t ignore the findings nor choose to fix the new flaws rather than the old ones. Instead, they should make a plan to fix the new findings and use periodic ‘security sprints’ to fix unresolved flaws that could be exploited,” Eng said.