Businesses in Europe take much longer to fix flaws in their security solutions, compared to their American or Asia-Pacific peers. This leads to what's known as “security debt”, and results in some flaws never being fixed. The good news is, there aren’t as many flaws as there used to be.
These are the conclusions of a new report released by Veracode, a provider of application security testing (AST) solutions. Its State of Software Security (SOSS) Volume 10 report says that globally, 83 per cent of applications have at least one flaw in the initial scan. Most commonly, those flaws are either information leakage, cryptographic issues or CRLF injections.
At the same time, devs are making progress, with almost three quarters (70 per cent) reducing the number of flaws after first scan, or not introducing new ones by the time of the final scan.
Veracode says this is important because the longer a flaw is around, the chances of it being corrected are reduced. This leads to what’s known as “security debt” – accumulated software flaws.
In order to eliminate (or at least reduce) security debt, businesses should up the frequency and the cadence of security testing. Apps scanned less than once every month require a median time to remediate of 68 days. On the other hand, those scanned daily have a median time to remediate of 19 days.
The differences in some key measures of software security testing grow quite big when comparing different regions. Asia-Pacific companies have most high severity flaws (40 per cent), more than American (37 per cent) or European (32 per cent) companies.
The Americas and EMEA fixed their flaws at the same rate (73 and 72 per cent respectively), which Veracode sees as “impressive”.
The full report can be found on this link.