Three out of four applications produced by software vendors fail to meet the Open Web Application Security Project (OWASP) Top 10 standards when initially assessed for security, with over 60% of internally developed applications also failing to achieve compliance.
That's according to research from application security firm Veracode, which has recently published its How do vulnerabilities get into software report. The report continues to attest application vulnerabilities to faults present within the development process, which are consequently exacerbated and capitalised on by an ever-shifting threat landscape.
Exponential demand resulting from heavy reliance on software applications in the modern enterprise is creating a problem for development teams both in-house and within vendor companies.
Pressure is building constantly for developers to construct functional code, at a faster and faster rate. As functionality and speed are prioritised, security requirements are pushed back. In the worst cases, they are entirely foregone, with Veracode's report stating that 30% of companies don't scan for vulnerabilities during code development at any point.
Vulnerable components of code are then likely to be reused, as it's common practice to incorporate reusable, pre-built software components when constructing new applications. It can be difficult to pinpoint all the applications where a risky component is engrained, leaving literally countless applications vulnerable.
For organisations continuing to pursue their digital transformations, the applications which are becoming increasingly integral to core business processes have the unfortunate power to bring operations to a standstill.
Presented with IT networks debilitated by deeply embedded flaws, it's no surprise that cybercriminals are finding new ways to breach applications just as fast as developers are finding new ways of protecting them. Added to this is the increased reliance on software applications, providing cybercriminals with more scope for success in their attacks as simply they have more applications to target.
How do vulnerabilities get into software?
90% of security incidents result from exploits against defects in software
As multiple factors feed this insidious trend, there is no quick fix to reverse it. The threat landscape will not stop evolving, but cybercriminals success can be stunted by positioning security as a top business priority, integrating security with the development process, and giving developers the time and resources necessary to constantly test and fix issues as they arise. This would encourage the introduction of secure coding practices, going a long way towards reducing vulnerabilities and strengthening security.
