While the report shows promise on the development side, it also analyzed flaw persistence and measured the longevity of flaws after the initial discovery. Though software security is improving, the report found that one in four flaws remains open more than a year after first being discovered.
Across all sectors, companies are addressing an enormous number of open flaws, yet there has been improvement when it comes to companies taking action. According to the report, 69% of flaws were closed through remediation or mitigation, which reflects a 12% increase since the last report.
An additional key finding was that the number of vulnerable apps remains staggeringly high. In large part, this is the result of open source components, which present significant risks to businesses, the study said.
After conducting the first scan, researchers found that in excess of 85% of all applications had at least one vulnerability, with more than 13% of applications containing at least one very high severity flaw. In addition, one in three applications were vulnerable to attack through high or very high severity flaws, according to the report.
After looking at the fix rate of 2 trillion lines of code, researchers found that persistent flaws continued to pose extended application risk exposure for businesses. The number of flaws that remained open for one month after discovery was greater than 70%, while almost 55% of all flaws remained unaddressed three months after discovery.
However, only 25% of high and very high severity flaws remained unaddressed up to 290 days after being discovered, and the same percentage was fixed within 21 days. But 25% remained open well beyond a year after discovery.
“Security-minded organizations have recognized that embedding security design and testing directly into the continuous software delivery cycle is essential to achieving the DevSecOps principles of balance of speed, flexibility and risk management,” said Chris Eng, vice president of research, CA Veracode.
“Until now, it’s been challenging to pinpoint the benefits of this approach, but this latest State of Software Security report provides hard evidence that organizations with more frequent scans are fixing flaws more quickly. These incremental improvements amount over time to a significant advantage in competitiveness in the market and a huge drop in risk associated with vulnerabilities.”