Veracode studies security testing data

 Veracode’s report, 2017 State of Software Security Report, reviewed its application security testing data from scans conducted by industry trends.

The report found that 88% of Java applications contain at least one vulnerable component, and that approximately 53% of Java applications rely on a vulnerable version of the Commons Collections components.

Chris Wysopal, CTO at Veracode, said: “The universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit.”

Studies show up to 75% of a typical application’s code is made up of open source components. The use of components in application development is common practice as it allows developers to reuse functional code – speeding up the delivery of software.

In addition to information regarding threat posed by the use of vulnerable components, the 2017 State of Software Security Report also found:

  • Vulnerabilities continue to crop up in previously untested software at alarming rates, with 77% of apps having at least one vulnerability on initial scan
  • Government organisations continue to underperform those in other industries with a 24.7% pass rate at latest scan ad the highest prevalence of highly exploitable vulnerabilities like cross-site scripting (49%) and SQL injection (32%)
  • Critical infrastructure had the strongest OWASP pass rate (29%) across all industries studied, though it saw a slight decline in pass rate (29.5%) on the last scan

Wysopal continued: “development teams aren’t going to stop using components – nor should they. But when an exploit becomes available, time is of the essence. Open source and third party components aren’t necessarily less secure than code you develop in-house, but keeping an up-to-date inventory of what versions of a component you are using.

“We’ve now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify.”

The report was conducted by more than 1,400 Veracode customers.