Abo
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten

Software security: developers drowning in technical debt

70 percent of organizations suffer from security vulnerabilities in their software. Half of companies are putting off critical errors.

Save to Pocket listen Print view
A laptop with a protective shield on the screen

A protected laptop.

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

4 min. read
Developer
By
  • Robert Lippert
Contents
This article was originally published in German and has been automatically translated.

The security company Veracode has published the new edition of The State of Software Security (SOSS) Report. It analyzes the prevalence of security vulnerabilities in software, describes the security debt that companies accumulate over the years if they do not fix problems, and makes recommendations for minimizing the risks. The need for this is high - over 70 percent of companies suffer from security problems in their software, with many classified as critical.

According to the study, the causes of security problems are not as clearly identifiable as many people think. 70.2 percent of the applications examined have security-relevant errors in third-party code, such as integrated libraries or open source code; however, 63.4 percent of in-house applications are also burdened with errors from their development teams.

Technical debt, also in security-related issues

Dealing with these security-related problems results in security debt, i.e. technical debt that becomes a challenge over the life cycle of a software. The report identifies the tendency of development teams to place functional requirements above security requirements as a possible cause, meaning that defects are no longer rectified directly.

Older and larger applications tend to accumulate more security defects as the complexity of their code base and the number of dependencies increase over time. This, coupled with insufficient training or ignorance of secure coding practices and a lack of continuous security testing throughout the development lifecycle, ultimately lead to slower and slower bug fixes.

However, The State of Software Security 2024 offers hope at this point. Even if the rate of new and existing flaws will always exceed the capacity to fix them, only three percent of issues in code are considered truly critical. Teams that prioritize fixing these top three percent are in a good position overall.

It is worth taking a look at the most common error types, which according to the report correspond to those of the Common Weakness Enumeration (CWE) and the top 10 of the Open Web Application Security Project (OWASP).

Focusing on the most important critical vulnerabilities creates a high level of security (pictured: prevalence and intensity of CWE and OWASP errors in software applications).

(Image: Veracode The State of Software Security 2024)

Risks for the software supply chain

External libraries are playing an increasingly important role when it comes to the security assessment of software. Today, even homegrown software can have dozens or even hundreds of external dependencies. All too often, developers proceed according to the motto "import it and ignore it". Java, Ruby and Python applications in particular have accumulated additional dependencies in recent years and stand out when it comes to accumulating dependencies.

The number of libraries per application over the operating time varies depending on the programming language.

(Image: Veracode The State of Software Security 2024)

The number of direct and transitive dependencies varies depending on the programming language, with the "dependencies of dependencies" doubling the supply chain in most cases. Languages such as Java and JavaScript can even increase the number of dependencies by a factor of five to six.

The report highlights another risk factor: As observed in previous years, more than half of applications use libraries that have fewer than ten contributors or have not been updated for over a year. However, Veracode emphasizes the decisive advantage of open source libraries: as the community grows, there are more security checks, which often fix bugs more quickly thanks to the accessible code.

Security issues are endemic - teams should consider this now

Because security issues are so prevalent in applications, Veracode concludes that they are endemic and an integral part of software development. Only two out of ten applications have an average monthly bug fix rate of over ten percent of all security flaws. Only a few teams manage to stop the growing security debt.

The report recommends two main approaches to keep the business risk in check.

  1. Since only around three percent of all problems pose a critical risk, prioritization is crucial. Much can be gained if teams focus on fixing these security issues.
  2. Artificial intelligence (AI) can help to scale troubleshooting capacity. Especially when large language models (LLMs) are trained on specific CWEs to support developers in troubleshooting. In the long term, this approach could also lead to teams having to fix fewer relevant problems themselves, freeing up more time for value creation.

(anw)

Spiele

Back to top
Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten