Insecure software is significantly impacting our world. In a recent statement, CISA Director Jen Easterly declared: “Features and speed to market have been prioritized against security, leaving our nation vulnerable to cyber invasion. That has to stop... We are at a critical juncture for our national security.”
Our State of Software Security 2024 report explores a key area this trade-off of speed to market prioritized against security has resulted in: security debt. Our data shows that nearly half of organizations have persistent, high-severity flaws that constitute critical security debt. We also reveal what organizations without it are doing right. Here's how to leverage this new data to enhance application risk management practices in 2024.
Understanding the State of Software Security 2024
Though the world of technology is rapidly evolving, one thing hasn’t changed: all software security comes back to code and vulnerabilities. New solutions, like Cloud-native Application Protection Platform (CNAPP), aren't solving a new problem. They’re solving the same problem – of insecure code – in a different environment.
Software must run in an environment. People are carving out solutions for different environments where software runs (cloud, container, mobile, etc), but the vulnerabilities don't change.
Insecure code in software is the root cause of this international security problem and the most economical way to solve it. That's why our mission is a world where software is secure from the start; that’s what we focused our research on in this year’s report.
Overview of Security Debt and Its Impact on Organizations
Very loosely, security debt (also called technical debt) is the gap between flaws being created and flaws being fixed. For the purposes of our report, we define security debt as flaws that remain unremediated for over one year.
Key findings from the report reveal that 71% of organizations have security debt, and as mentioned, 46% of organizations have critical security debt. Criticality and the severity of these flaws is determined by the potential impact on confidentiality, integrity, and availability. When it comes to managing application risk, these flaws are posing the most risk to organizations.
We know from our 2023 report that security debt accumulates over time – regardless of the size of the application. Once an application gets to an install base or scale of users that it’s useful for attackers, there’s likely plenty of security debt and more being added each year.
Data-driven Strategies for Effective Application Risk Management
What can be done to effectively manage risk by tackling security debt? Let’s explore the strategies that surfaced from the report.
-
Continuously scan first and third-party code.
Security debt accrues at similar rates in first and third-party code and affects applications both large and small. Roughly 63% of applications have flaws in first-party code and 70% contain flaws in third-party code. That’s why testing both throughout the software development lifecycle (SDLC) is so critical.
-
Continuous scanning must be accompanied by continuous remediation to be effective.
Development teams that fix flaws the fastest are 4x less likely to let critical security debt materialize in their applications.
-
Educate developers on secure coding practices.
Among organizations that use Security Labs, 37% have security debt. Compare that to 48% among application teams that do not. The time-to-fix difference is even more significant. Applications developed by teams that aren’t using the Labs take seven months longer to reach that 37% mark.
-
Address resource constraints and remediation capacity.
Only 64% of applications demonstrate a sustained capacity to eliminate all critical security debt. Constraints in remediation capacity mean prioritizing flaws for remediation is essential.
Looking Ahead: Future Trends in Application Risk Management
We look to Artificial Intelligence (AI) to revolutionize software security now and in the future. AI enables teams to efficiently scale remediation efforts and tackle the extensive backlog of security debt, as well as promptly address emerging vulnerabilities. Veracode Fix, with its AI-generated code edits, offers a solution to address the majority of CWEs (Common Weakness Enumeration) rated from medium to very high severity.
As organizations strive to secure their software applications in an increasingly complex environment, data-driven strategies offer a path towards effective application risk management.
By leveraging insights from the State of Software Security 2024 report and implementing data-driven approaches, businesses can proactively identify vulnerabilities, prioritize risks, and mitigate potential threats. Embracing these strategies will not only enhance security posture but also contribute to a future where software is secure from the start.