The United States, United Kingdom and other governments around the globe are making strides to defend against software supply chain attacks and strengthen the cybersecurity resilience of their departments, partners, and stakeholders. Technology companies are following these developments and emerging government guidance closely, understanding that in a post-SolarWinds and Log4j world, their roles in securing the software they create – along with the applications they use to deliver new innovations – are rapidly evolving.
This heightened awareness has not fully translated into stronger security measures, however. Our recent State of Software Security v12 (SOSS) report found that, when compared to other industries, the technology sector has the second-highest proportion of applications with security flaws, as well as the highest proportion of applications with high-severity flaws.
Given the nature of the industry, it could be argued that tech companies create far more applications – both in number and complexity – than other industries. But considering the potential effects of compromised software on hundreds, or even thousands, of customers and partners, these stats need a boost. The good news is that small changes can drive big improvements, like automating training so developers can start to understand how to prevent security vulnerabilities in their software, and over time, spend less time fixing what isn’t broken.
And speaking of fixing flaws, this is an area of strength for tech firms today. They boast industry-leading fix times for vulnerabilities discovered by static analysis (SAST) and software composition analysis (SCA) scans and follow manufacturing and financial services in fixing flaws discovered by dynamic analysis (DAST). Tech companies should be applauded for their efficiency, yet there’s still work to be done, as evidenced by the number of days required to fix 50 percent of flaws once they’re detected (123 for DAST, 363 for SCA, and 237 for SAST).
Like most industries, the tech sector sees its fair share of common flaws such as server configuration and insecure dependencies. But compared to last year’s report, this industry shows fewer flaws involving cryptographic issues and information leakage, which suggests that developers are getting savvier when it comes to data protection practices. That’s great to see.
The report also analyzed third-party libraries to identify how vulnerabilities discovered through SCA behave. Across industries, around 30 percent of vulnerable libraries remain unsolved after two years; however, it’s encouraging to see tech companies addressing these flaws at an accelerated pace after the first three monthsto stay about a month ahead of the cross-industry average.
Embracing a more proactive approach that addresses security earlier in the software development lifecycle could benefit technology companies looking to become even more efficient at fixing flaws and getting ahead of emerging government requirements for securing the software supply chain.
For more information on software security trends in the technology industry, check out The State of Software Security Industry Snapshot: Technology.