Security firm Veracode based in Burlington, Massachusetts has release it annual State of Software Security Report for 2016 on enterprise security. The first thing to know here is that open source components in software development account for most of the security vulnerabilities. The other thing to know is that this report is based on over 300,000 assessments run on enterprise applications over an 18 month period.
Of all the programming languages Java topped the list with 97 percent of apps written in it were found to have at least one vulnerability. Some of these threats which range from severe to low come from their component parts which are bits of code developers use to write a piece of software. The use of known vulnerable component which the report say can be found in 25 percent of all Java apps also played a major role in the high ratings Java got for vulnerability.
Java which was first developed by Sun Microsystems in 1995 and now Oracle because they acquired the originating company in 2009 has been known for security flaws hence the frequent security patches. Chris Wysopal, co-founder and chief technology officer of Veracode told Fortune that “there’s a danger in code components being reused throughout many applications without developers necessarily realizing it… a lot of risk is inherited, and people don’t know, because it’s two steps removed.”
The report also notes that information leakage and cryptographic issues were found to be leading sources of all vulnerabilities at 72 percent and 65 percent respectively.
While developers that work in companies are getting better at building more secure applications, third party developers are getting worse. The report found that apps that were developed by in-house teams passed the industry benchmark at a score 39% of the apps passed versus 37% last year while third party developers passed 25 percent of the time compared to 28 percent last year. In some cases, companies feel it may be too expensive to continue paying vendors for maintenance and this is common in many firms. They would rather buys an applications and have it maintained in-house. Other times, the vendor having been paid for their applications may not feel the need to constantly update the application.
One sector which the lowest vulnerability fix rate is the health sector and this industry’s low scores on these application security benchmarks is troubling according to the report. While you may be thinking the techies would have the highest fix rate, the report notes that only about a third of flaws are fixed by security professionals. Manufacturing has been the best at fixing all known/reported flaws at a two-thirds rate.