More than three-quarters of applications written in Java and .NET contain at least one vulnerability from the OWASP Top 10, a list of software vulnerabilities that developers typically use as a baseline for application security. I’m here.
This is according to software testing firm Veracode, which analyzed about 760,000 applications and found that about one-fifth of the applications using these two programming ecosystems had at least one high-severity or critical vulnerability. I found it to be vulnerable.
Overall, the average application is 27% more likely to introduce at least one vulnerability each month, and poorly written apps and infrequently scanned apps are more likely to be flawed. Applications with a long history of security processes and written by well-trained people are likely to have more flaws. Data shows that developers are less likely to introduce new flaws.
The analysis highlights the importance of integrating security into the development pipeline, said Tim Jarrett, vice president of strategic product management at Veracode.
“The data consistently show that building security habits into the process yields better results in terms of fixing overall flaws…and slowing the flood of incoming stuff. It’s different,” he says.
Meanwhile, software companies and development teams continue to struggle to keep flaws and vulnerabilities out of their application code. Developers and open source projects are fixing software flaws more quickly, but Veracode’s “State of Software Security” report, published Jan. 11, found that the average vulnerability half-life is several It continues to be measured in months rather than days or weeks.
For example, in Java and .NET applications, which accounted for 71% of all applications analyzed in this study, half of the defects were still impacting the application after 243 and 158 days respectively.
Both application bloat and age have had a significant negative impact on security. The average application accumulates approximately 40% more code and is more likely to have vulnerabilities. The analysis found that approximately 54% of two-year-old applications have flaws, and 69% of five-year-old applications have flaws.
“How to fix security problems in Java applications is still largely [where] Make changes to class files and compile,” he says.[‘s] Details of package management issues. That’s another thing developers should learn, and it might be easier that way. “
The decline of new programming languages
Additionally, the most-loved programming language, Rust, doesn’t even appear in Veracode’s data, while Python, the #6 developer, accounts for less than 4% of applications scanned.
Veracode’s Jarrett said one reason for the broken connections is that established applications are written in established programming languages.
“There’s a whole universe of all the code out there, and there’s kind of a bubble on top of a new wave of development, where you see people picking up Go and Rust and Dart. And flutter ’ he says.
That situation probably won’t change, as the codebases of applications written in these languages are converging.
“Unfortunately, old applications don’t die, so there’s a lot of critical mass in companies with these big Java codebases and .NET codebases,” he says.