Java Applications: A Frontrunner for Vulnerabilities, Report Reveals

Massachusetts-based security firm, Veracode, recently unveiled its annual State of Software Security Report for 2016 . A significant takeaway from the report lies in the fact that software development’s open-source components account for a substantial proportion of security vulnerabilities. The report is grounded on an extensive study encompassing over 300,000 assessments performed on enterprise applications over 18 months.

In the labyrinth of programming languages, Java emerged at the forefront with 97% of applications written in it found to harbor at least one vulnerability. These vulnerabilities, which range from severe to low-grade, stem from their component parts, i.e., bits of code that developers utilize to pen software. Consequently, 25% of all Java applications reportedly possess a known vulnerable component playing a substantial role in Java’s high vulnerability ratings.

Interestingly, Java, a product of Sun Microsystems in 1995 initially, was subsequently taken over by Oracle, post their 2009 acquisition of the initial company. Java has developed a notoriety for its inherent security flaws, prompting a series of frequent security patches.

Chris Wysopal, co-founder and chief technology officer of Veracode, alerted Fortune to the impending danger residing in code components. He stated, “there’s a danger in code components being reused throughout many applications without developers necessarily realizing it…a lot of risk is inherited, and people don’t know, because it’s two steps removed.”

The report also highlights that information leakage at 72% and cryptographic issues at 65% stand as the main sources of vulnerabilities.

It’s not all doom and gloom, though. The report lauded corporate developers for their improvement in delivering secure applications. However, third-party developers are not keeping pace, exhibiting a deteriorating performance. This performance divide draws a stark contrast between in-house developed applications, which passed the industry benchmark 39% of the time (a rise from 37% last year), and third-party developed applications achieving a mere 25% pass rate, a drop from 28% last year.

Occasionally, these software disparities force companies to insource application maintenance, deeming vendor costs exorbitant. Moreover, some vendors, having received their payment, may not display the same dedication towards routine application updates.

Interestingly, the health sector shows the lowest vulnerability fix rate across the industries, a fact that poses immense concern according to the report. A common assumption might be that tech wizards, i.e., security professionals, would top the fix rate. However, the report indicates that only about one-third of flaws get rectified by security experts. On the other hand, the manufacturing industry leads the pack, managing to fix two-thirds of known/reported flaws efficiently.

In conclusion, the report offers food for thought for enterprises relying on vulnerable platforms like Java, pressing the need for constant updates and security checks. The lessons learned here offer a road map towards better software development practices and more secure enterprise applications.