24 % of tech apps contain ‘ high severity ’ security flaws , posing a serious cybersecurity risk if exploited
eracode , a leading global provider of modern
V application security testing solutions , has revealed that 24 % of applications in the technology sector contain security flaws that are considered high risk – meaning they would cause a critical issue for the application if exploited . With arguably a higher proportion of applications to contend with than other industries , tech firms would benefit from implementing improved secure coding training and practices for their development teams .
Chief Research Officer at Veracode , Chris Eng , said : “ Giving developers real , hands-on experience of what it takes to spot and exploit a flaw in code – and its potential impact on the application – provides the context and understanding to build their intuition about software security . Our research found that organisations whose developers had completed just one lesson in our hands-on Security Labs training programme fixed 50 % of flaws two months faster than those without such training .”
The data was published in Veracode ’ s annual State of Software Security ( SoSS ) report v12 , which analysed 20 million scans across half a million applications in the technology , retail , manufacturing , healthcare , financial services and government sectors . Overall , the technology industry was revealed to have the second-highest proportion of applications that contain security flaws , at 79 %, making it marginally better than the public sector at 82 %. The tech sector lands in the middle of the pack when it comes to the proportion of flaws that are fixed .
Tech firms would benefit from implementing improved secure coding training and practices for their development teams .
of which have a supply chain focus . To improve performance in the year ahead , technology businesses should not only consider strategies that help developers reduce the rate of flaws introduced into code , but also put greater emphasis on automating security testing in the Continuous Integration / Continuous Delivery ( CI / CD ) pipeline to increase efficiencies .”
Server configuration , insecure dependencies and information leakage are the most common types of flaws discovered by dynamic analysis of technology applications , which broadly follows a similar pattern to other industries . Conversely , the sector exhibits the highest disparity from the industry average for cryptographic issues and information leakage , perhaps indicating that developers in the tech industry are more savvy on data protection challenges . u
Tech firms are comparatively quick to fix software security flaws
Encouragingly , when tech firms do discover flaws in their applications , they are comparatively fast to reach the halfway point of remediation . In fact , the sector boasts industryleading fix times for flaws discovered by static analysis security testing ( SAST ) and software composition analysis ( SCA ). While this is a laudable accomplishment , the industry still takes up to 363 days to fix 50 % of flaws , suggesting there is still ample room for improvement .
Eng added : “ Log4j sparked a wake-up call for many organisations . This was followed by government action in the form of guidance from the Office of Management and Budget ( OMB ) and the European Cyber Resilience Act , both intelligent SOFTWARE SECURITY www . intelligentciso . com
61