Veracode Report Finds Open-Source Components Proliferating Digital Risk at an Alarming Rate
Year-over-year improvements in the code organizations write -- but increasing proliferation of risk from open-source and third-party component use
(firmenpresse) - BURLINGTON, MA -- (Marketwired) -- 10/18/16 --
Key Findings:
: Approximately 97 percent of Java applications contained at least one component with a known vulnerability
: 60 percent of applications fail security policies upon first scan
: The top quartile of companies fix almost 70 percent more vulnerabilities than the average company
: Developers using sandbox technology to scan apps prior to assurance testing show 2 times improvement in fix rates
: Best practices like remediation coaching and eLearning can improve vulnerability fix rates by as much as 6 times
: More than half of web applications are affected by misconfigured secure communications or other security defenses
: Some applications being scanned multiple times per day, average security tests per app is seven, with some apps being scanned 600-700 times
Veracode today released the findings in its annual . The seventh edition of the report presents metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the last 18 months. The report revealed that the continued and persistent use of components in software development is creating systemic risk in our digital infrastructure. However, the report also found that companies achieve accelerated benefits when their application security programs reach maturity. These findings indicate that the growing trend of focusing on digital risk at the application layer and building security into DevOps processes (DevSecOps) can yield great results for organizations in reducing risk without slowing down software development.
Veracode's analysis revealed the growing risk caused by the proliferation of vulnerable open-source components. Veracode found that a single popular component with a critical vulnerability spread to more than 80,000 other software components, which were in turn then used in the development of potentially millions of software programs. Approximately 97 percent of Java applications contained at least one component with a known vulnerability.
"The prevalent use of open-source components in software development is creating unmanaged, systemic risks across companies and industries," said Brian Fitzgerald, CMO, Veracode. "Today, a cybercriminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds, and given our dependence on applications, the ease at which millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy."
Veracode's research also highlights the challenges that still exist in software development more broadly. For example, 60 percent of applications failed basic security requirements upon first scan. However, the report found that when companies follow best practices and implement programs with consistent policies and practices for secure development, they are able to remediate vulnerabilities at a higher rate. The study showed that the top quartile of companies fix almost 70 percent more vulnerabilities than the average organization. Additionally, best practices like can improve vulnerability fix rates by as much as six-times. Developers who test unofficially using scanning improve policy-based vulnerability fix rates by about two-times.
"The ability to frequently test applications is going to be crucial to the success of secure development initiatives at companies with continuous development and deployment models like those found in ," said Chris Wysopal, co-founder and CTO, Veracode. "Our platform data shows that more companies are starting to test applications multiple times throughout the development lifecycle. The average number of security tests per app was seven, and some apps were scanned 700-800 times in an 18-month period. We are encouraged by this information because it suggests companies are more deeply embedding security into their ."
Veracode's annual State of Software Security Report also examines the prevalence of vulnerable open-source components in applications, compared industry trends regarding the fixing and finding of vulnerabilities, and security trends pointing to the rise of DevOps environments, such as some applications being scanned multiple times per day. Applications are scanned for security an average of seven times.
To read the full report visit:
Brian Fitzgerald
Veracode
Phone: 339-674-2702
Megan Grasty
Highwire PR
Phone: 415-963-4174, x26
Themen in dieser Pressemitteilung:
Unternehmensinformation / Kurzprofil:
Datum: 18.10.2016 - 10:00 Uhr
Sprache: Deutsch
News-ID 501040
Anzahl Zeichen: 0
contact information:
Town:
BURLINGTON, MA
Kategorie:
Diese Pressemitteilung wurde bisher 118 mal aufgerufen.
Die Pressemitteilung mit dem Titel:
"Veracode Report Finds Open-Source Components Proliferating Digital Risk at an Alarming Rate"
steht unter der journalistisch-redaktionellen Verantwortung von
Veracode (Nachricht senden)
Beachten Sie bitte die weiteren Informationen zum Haftungsauschluß (gemäß TMG - TeleMedianGesetz) und dem Datenschutz (gemäß der DSGVO).
