The latest software security report from Veracode is raising the alarm about the risks of using open source and third-party components during software development.Jens Stark
The use of open source components during software development is very frequently responsible for system risks within the digital infrastructure. This was the finding of the annual report on the State of Software Security (SoSS), published for the seventh time by Veracode. The report is based on data examined within the past 18 months as part of more than 300,000 automated assignments. On the whole, it advises an increased focus on digital risks at the application level and the integration of security aspects in DevOps processes (DevSecOps). When implemented right, these steps can reduce risk without slowing software development.
The analysis by Veracode also showed that vulnerable open source components are responsible for rising risks. One single popular component with a critical security hole impacted more than 80,000 other software components, which in turn were used in the development of millions of software programs. Almost 97 percent of all Java applications, the report claims, contain at least one component with a known security hole.
"The highly popular use of open source components in software development is responsible for uncontrollable systematic risks in companies and industries", explains Julian Totzek-Hallhuber, a Solutions Architect at Veracode. "Today's cyber-criminal can concentrate on one single vulnerability in a component to damage millions of applications. All industries are dependent on these applications to a high degree. The easy with which millions of applications can be compromised can thus cause lasting damage to our digital infrastructure and economy."
The report from Veracode underscores other challenges in software development. For example, it found that 60 percent of applications do not fulfill fundamental security requirements during the first scan. The report did find that companies implementing best practices and implementing programs based on consistent strategies and practices for secure development are in a position to eliminate vulnerabilities more effectively.
The study also showed that the upper quartile of the companies had eliminated almost 70 percent more vulnerabilities than the average company. Beyond this, best practices such as remediation coaching and eLearning can improve the fix rates by as much as sixfold. And developers who test the applications in a developer sandbox improve the guideline-based fix rates by almost double.