Did you know that software vulnerabilities can expose applications to potential risk and compromise? According to research made by Veracode, many organizations struggle to keep the pace of continually developing digital world. The results are rather alarming – 2 out of 3 applications failed to pass the initial security test.
Application security research company called Veracode has published the State of Software Security (SOSS) Volume 10 report. Throughout 12 months period, the company scanned over 85 000 applications. The report shows that 83% of them have at least one security flaw which occurred after the very first scan.
The primary point of the report was to measure the level of so-called “security debts” in different industries. According to research company Veracode, the number of vulnerabilities that increase in software level across financial, education, government, technology, and other sectors can be called a “security debt”. Security debt — defined as aging security flaws in software — is emerging as a significant pain point for institutions across the globe.
The industry’s most comprehensive testing company has discovered that the finance sector fixes only 76% of security flaws discovered in its software. Across all the industries, the percentage even lowers to 56%.
Main security vulnerabilities
The results of Veracode’s report show that one-third of applications (36%) used in the financial sector has high-risk security flaws. Code quality (58%), cryptographic issues (61%), and information exposure (66%) are the main categories of uncovered vulnerabilities within the industry.
It had appeared, that on average, it takes over two months (67 days) to solve the software flaws for financial services institutions. Only behind the healthcare industry, the financial sector is the second slowest industry when it comes to fixing the vulnerabilities.
According to Paul Farrington, the CTO of Veracode, due to rapidly growing digital transformation in the financial sector, integrating new legacy systems can be a real challenge. Yet, this is why a huge number of system vulnerabilities are being discovered. With the financial sector being a prime target for cyber attacks and frauds, the danger of security flaws in an industry that keeps personal data of people’s wealth is enormous.
What needs to be done
The report discloses that there is application security improvement made through 10 past years within the financial sector. However, there is still a huge hole left where the security debt needs to be lowered.
When companies test their applications for security flaws, they prioritize them. Which vulnerabilities to fix based on a number of business objectives. Even if it’s the best practice, such performance can also create a backlog of flaws that remains to be unfixed.
The research also disclosed that organizations that periodically scan their software, lowers the chance of security flaws being exposed later. Institutions that create specific processes for addressing their security debt are most successful at lowering the overall risk. Vice versa, companies, which focus only on removing new vulnerabilities whilst ignoring the past ones can only expect the security dept keep growing. Together, these findings highlight the great need for security testing throughout the whole application development cycle.