Regardless of their original size, applications grow in size by about 40% year on year, increasing their exposure to security threats.
This is one of the findings from the annual Veracode 2023 State of Software Security report, which aims to assist businesses to meet the multiple challenges of reducing security debt and avoiding the introduction of security flaws that accumulate over the life of applications.
Veracode uses hard data to identify the factors that contribute to the introduction of flaws and offer solutions that lead to faster remediation while lowering security debt and providing concrete steps you can take now to improve your application security programme for 2023 and beyond. The results were shared by CA Southern Africa.
Craig de Lucchi, CA Southern Africa account director, says: “Historically the Veracode annual research examined the top flaw categories by language but this year’s report took things a step further. Rather than merely identifying the top flaws by language, it was important to discover whether there were variations over the lifetime of an application in production.
“Perhaps more importantly, it examined what steps need to be taken to reduce the introduction of flaws at the outset. The data assisted in getting a better handle on flaw introduction, security debt accumulation, and application lifecycle management.”
The analysis reveals that there are different inherent security postures for various languages. It also discovered that there is also a different rate at which flaws are remediated, leaving a higher (or lower) de facto chance that flaws will simply accumulate over time.
“A developer might be interested to find out the most common flaws introduced and, once those are identified, take conscious steps to learn how to avoid them. Security people will be interested to see the rate of flaw accumulation and what that means to the overall risk posture,” De Lucchi adds.
Accumulation of flaws is referred to as security debt and is a subset of technology debt which in turn is defined as the number of net flaws remaining when considering flaw introduction and remediation rates. Different languages are said to ‘pay down’ at different rates than they build up and that makes for a positive or negative difference in accumulation over time.
“Different languages have inherently different security postures, environments, and controls. Veracode is crystal clear on the fact that when they are talking about developers’ preferred programming language, they are not focusing on specific languages or programmers,” De Lucchi comments. “It is acknowledged that flaws happen, and they happen in any and every programming language.
“These flaws, however, are not evenly distributed. The way different languages are architected and implemented can make some security mistakes easier (or harder) to make and that’s what we want to highlight to make us all better.
“Developers can compare how their languages perform and get a view of areas for future focus. Each language seems to have its own predisposition to high and critical-severity flaws that then end up appearing in large numbers,” he adds.
The choice of programming language is noted to have an effect on the types of flaws that are most commonly introduced, and that in turn affects the ecosystem of libraries and third-party software. “Slowing down and taking a look at this reality is useful for organisations wishing to prioritise their training to know what the most common flaws are, and how they might be introduced. This basic awareness can influence code as it is being written which is the best time to avoid introducing a flaw that could hang around throughout the lifecycle of an application.
“In short, developer awareness of what the most common flaws are, and how they are introduced, can increase diligence and reduce the probability of introducing them at all – leading back to the main point that – an ounce of prevention is worth a pound of cure,” De Lucchi concludes.