One-Fifth of Software Has a Severe Security Flaw


Nearly a fifth of software scanned during the past year has a serious security flaw, according to a new report from application security company Veracode, released this morning.

The study draws on scans of 759,000 applications that Veracode customers conducted with the company’s platform during the past 12 months. Overall, 74 percent of the scanned applications had at least one flaw, and 19 percent had an issue deemed “high or critical severity.” The report defined a flaw as “an implementation defect that can lead to a vulnerability.”

“When you download an application onto your computer, almost 20 percent of the time you’re getting a high-risk [flaw] that at some point in the future will eventually be discovered and a patch will probably be issued,” Veracode CTO and founder Chris Wysopal told Government Technology.


The high portion of software bearing flaws is not unusual — such figures align with Veracode’s findings from previous years, Wysopal said.

Even so, the figures may be an undercount, said the company’s chief research officer, Chris Eng. The report only captures data about software that Veracode customers deemed important enough to scan. Any issues in lower-priority applications would not be reflected.

“There are all the applications that are not business critical enough — or they don’t have scanning in their budget, or for whatever reasons there’s not visibility at this level — they’re not being scanned at all, perhaps,” Eng said. “They’re generating even more security attack vectors than these ones are.”

SOFTWARE LIFE CYCLE: THE 4-YEAR MARK

Fixing flaws isn’t a one-and-done affair, and applications need active maintenance, but they aren’t always getting that throughout their life cycles, the report found.

Organizations appear to more readily address vulnerabilities in new software, according to the report. Roughly 30 percent of applications showed flaws when first scanned. But ensuing scans made “shortly after” turned up issues in only 22 percent, suggesting organizations acted to fix the problems. Similarly, a Veracode press release states that “nearly 80 percent…

Source…