Home Security Veracode studies security testing data

Veracode studies security testing data


 Veracode’s report, 2017 State of Software Security Report, reviewed its application security testing data from scans conducted by industry trends.

The report found that 88% of Java applications contain at least one vulnerable component, and that approximately 53% of Java applications rely on a vulnerable version of the Commons Collections components.

Chris Wysopal, CTO at Veracode, said: “The universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit.”

Studies show up to 75% of a typical application’s code is made up of open source components. The use of components in application development is common practice as it allows developers to reuse functional code – speeding up the delivery of software.

In addition to information regarding threat posed by the use of vulnerable components, the 2017 State of Software Security Report also found:

  • Vulnerabilities continue to crop up in previously untested software at alarming rates, with 77% of apps having at least one vulnerability on initial scan
  • Government organisations continue to underperform those in other industries with a 24.7% pass rate at latest scan ad the highest prevalence of highly exploitable vulnerabilities like cross-site scripting (49%) and SQL injection (32%)
  • Critical infrastructure had the strongest OWASP pass rate (29%) across all industries studied, though it saw a slight decline in pass rate (29.5%) on the last scan

Wysopal continued: “development teams aren’t going to stop using components – nor should they. But when an exploit becomes available, time is of the essence. Open source and third party components aren’t necessarily less secure than code you develop in-house, but keeping an up-to-date inventory of what versions of a component you are using.

“We’ve now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify.”

The report was conducted by more than 1,400 Veracode customers.