Veracode has released the 11th volume of its annual State of Software Security report, and its findings reveal that flawed applications are the norm, open-source libraries are increasingly untrustworthy, and it’s taking a long time to patch problems.

The report found a full 76% of apps contained flaws, and 24% of apps have flaws considered highly severe. Some 70% of apps are inheriting security flaws from their open-source libraries, but it’s important to note that only 30% of apps have more security bugs in their open-source libraries than in code written in-house, suggesting that it isn’t solely open-source projects that are to blame.

Open-source libraries are a massive attack surface due to their ubiquity, Veracode said in the report. It also pointed out that there’s no correlation between the quality of in-house code and open-source bugs, highlighting that developers should be verifying the safety of open-source libraries no matter how good they think their own code is. 

SEE: Identity theft protection policy (TechRepublic Premium)

In terms of how bugs are being resolved, Veracode found that 73% of the bugs it found as part of the report were patched, which is a big improvement over previous years, when that number was in the mid-50% range. Despite that good sign, it’s still taking an average of six months to close half of discovered flaws.

As for the kinds of security flaws being found, the report states that the results are consistent with previous years. 

“For the most part, the top flaw types have stayed fairly consistent over the years. Volume 10 last year found that information leakage, cryptographic issues, CRLF injection, and code quality flaws were the most common types of flaws found in applications. In this year’s research, the top three did not move around, and the third place ‘cryptographic issues’ are also found in almost two out of three applications with flaws in this report,” the report said.

Veracode also released a heatmap of the worst bugs in the most popular languages. Interestingly enough, the language with the least use of open-source libraries is also the one with the most bugs: PHP.  

Looking at the heatmap, it’s easy to spot which of the five popular languages included has the worst security. Following PHP is C++, then Java, .Net, JavaScript, and Python. The latter two are, doing considerably better than the competition, with the worst flaws in each only being found in roughly 30% of apps. Compared to PHP with 74.6% of its apps vulnerable to cross-site scripting, JavaScript and Python are security powerhouses.

Regardless of the language you choose, it’s essential to implement best practices, which Veracode describes in the report as “nature vs nurture.” In essence, the nature of apps are elements about them that can’t be controlled, whereas the nurture aspects are those you can control. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

“Even if the developer has inherited an old, gargantuan application with heaps of security debt, and there is no one left who remembers why some things were coded that way, fixing flaws and adding new features don’t have to continue being difficult,” the report said. 

“We’ve looked at the effect of nature and nurture on the security of our applications. We found that nurture—our decisions and actions—can overcome and improve the nature of the application and environment,” Veracode concluded.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today

Also see