Veracode, a global leader in application risk management, has unveiled the 15th edition of its State of Software Security (SoSS) report. This latest research, based on an extensive dataset of 1.3 million unique applications and 126.4 million raw findings, sheds light on evolving security trends and offers fresh insights into software security maturity. The goal is to help organizations enhance their application risk management strategies.
Security Debt on the Rise: Critical Flaws Take Longer to Fix
The report highlights a concerning trend—organizations are taking longer to fix security flaws. Over the past five years, the average time to resolve vulnerabilities has surged from 171 days to 252 days, marking a 327% increase since the first SoSS report was published 15 years ago. Additionally, 50% of organizations now struggle with critical security debt, defined as unresolved vulnerabilities that persist for over a year. A significant portion of these flaws originate from third-party code and the broader software supply chain, exposing businesses to potential financial, reputational, and operational risks.
The Growing Attack Surface: AI and Security Challenges
Chris Wysopal, Chief Security Evangelist at Veracode, emphasizes how the attack surface has become increasingly complex, particularly with the rapid growth of AI-driven development. “Last year, 46% of organizations faced high-severity security debt. While the year-over-year increase might seem small, it’s heading in the wrong direction. Our findings prove that security debt can be reduced, but many organizations struggle to prioritize which vulnerabilities to address first.”
Cyber Technology Insights: Socure Launches AI Copilot for Global Watchlist Screening
Benchmarking Security Performance: Where Do Organizations Stand?
Veracode’s study categorizes organizations based on their security debt levels. While some maintain minimal debt, others are overwhelmed by it. Most fall somewhere in between, balancing debt-free and debt-ridden applications. Wysopal highlights a critical insight: “The gap between the top 25% and bottom 25% of organizations is striking. This raises the question—what factors contribute to these differences, and how can teams close the gap?”
Key Metrics Defining Security Maturity
Veracode identifies five essential metrics that determine an organization’s security maturity and ability to manage risks effectively:
- Flaw Prevalence: Top-performing organizations have flaws in fewer than 43% of applications, while weaker ones exceed 86%.
- Fix Capacity: Leaders fix over 10% of flaws monthly, while lagging teams remediate less than 1%.
- Fix Speed: High performers resolve half of their security flaws within five weeks, whereas others take over a year.
- Security Debt Prevalence: Only 17% of applications in leading organizations have security debt, compared to more than 67% in struggling companies.
- Open-Source Debt: Top organizations maintain open-source critical debt under 15%, while weaker companies see 100% of their critical debt stemming from open-source components.
According to Wysopal, these benchmarks allow organizations to assess their security maturity, understand factors contributing to security debt, and compare their performance with industry standards. The report also offers expert recommendations on improving security resilience.
Regulations Drive Positive Changes in Application Security
There’s a silver lining—more organizations are passing security standards. Over the past five years, the percentage of applications meeting the Open Worldwide Application Security Project (OWASP) Top 10 has increased by 63% and more than doubled over the past 15 years. Regulatory measures, such as the U.S. SEC cybersecurity ruling and the E.U. Cyber Resilience Act, have prompted software vendors to adopt more rigorous risk management strategies.
Cyber Technology Insights: MacPaw’s 2024 Report: Boosting Sustainability & Security
A New Approach to Security Maturity
Veracode’s research emphasizes the importance of a strategic, context-driven approach to mitigating security risks. The report recommends two key actions:
- Enhancing visibility and integration across the software development life cycle, using automation and continuous feedback to prevent new vulnerabilities.
- Prioritizing security findings by contextualizing and correlating threats in a single dashboard, allowing teams to focus on the most critical risks efficiently.
Wysopal underscores the role of advanced security tools in helping organizations manage their security debt. “Application Security Posture Management solutions enable security teams to pinpoint exploitable, reachable, and urgent threats, ensuring informed decision-making.”
As businesses navigate a rapidly evolving threat landscape, strengthening security maturity is crucial. By addressing security debt, leveraging best-in-class tools, and adhering to evolving regulations, organizations can boost resilience and protect themselves from emerging threats.
Cyber Technology Insights: Varonis Opens Data Centers in India to Expand Customer Base & Reduce Cloud Data Risk
FAQs
1. What is security debt, and why is it a concern?
Security debt refers to unresolved vulnerabilities that persist over time, making organizations more susceptible to cyberattacks. The longer these flaws remain unfixed, the higher the risk of exploitation.
2. Why is the fix time for security flaws increasing?
The growing complexity of software, reliance on third-party code, and shortage of security professionals contribute to longer fix times. Organizations also struggle to prioritize which vulnerabilities to address first.
3. How does third-party code impact security debt?
Many vulnerabilities originate from third-party components, which organizations may not have direct control over. Without proper monitoring and timely patching, these flaws can accumulate and increase security debt.
4. What can organizations do to reduce security debt?
Organizations should adopt a proactive approach by integrating security early in the software development process, automating vulnerability scanning, and prioritizing high-risk flaws.
5. How do cybersecurity regulations impact security debt management?
New regulations, such as the SEC cybersecurity ruling and the E.U. Cyber Resilience Act, push companies to adopt better risk management practices, leading to improved security postures.
6. What are the key metrics to assess security maturity?
Organizations should evaluate flaw prevalence, fix capacity, fix speed, security debt prevalence, and open-source debt to gauge their security maturity and take steps for improvement.
Cyber Technology Insights: HawkEye 360 Announces Organizational Changes for Growth & Efficiency
By staying ahead of security challenges and implementing best practices, organizations can mitigate risks and safeguard their applications against evolving cyber threats.
To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com
