Developers struggle to prioritise vulnerabilities, Veracode SOSS Language Snapshot reveals
August 2024 by Veracode
As developers struggle to prioritise security debt, Veracode announces latest innovations to identify and unify critical risk
New Veracode research shows developers remediate low-severity flaws with more urgency than severe flaws; new capabilities enable organisations to prioritise remediation that matters most
Veracode announced platform innovations to help organisations uncover, prioritise, and reduce security debt across their growing attack surface. Universal Connector and Application Security Heatmap, the two newest capabilities from Longbow powered by Veracode, allow organisations to quickly connect findings from any source and see the applications that are contributing to the most risk. Together, the Universal Connector and the Application Security Heatmap provide clear, operational insight into assets and issues, allowing remediation actions to be prioritised by quantifiable risk.
"The combination of mounting security debt, an expanding attack surface made more vulnerable by generative AI, and an overwhelming volume of security alerts makes it challenging for organisations to know which application risks to prioritise," said Chris Eng, Chief Research Officer at Veracode. "In fact, our State of Software Security research shows that many organisations are more focused on remediating low-severity flaws than critical flaws. Security leaders need technology that enables them to effectively uncover and manage application risk, and then reduce that risk by focusing on the issues that matter most across their entire attack surface."
Prioritisation of security debt: Critical vs non-critical
In its State of Software Security 2024 Language Snapshot, Veracode revealed the varying prevalence of "critical" and "non-critical" security debt among applications written in different languages. Critical security debt is defined for this report as high-severity flaws that remain unfixed for longer than a year. If exploited, these flaws would put the integrity and availability of organisations at serious risk.
The research found that while most security debt exists in first-party code written by in-house developers, the most critical security debt resides in third-party code (e.g., open-source software imported into the codebase). For example, 80 percent of critical debt in Java apps, and 63 percent in JavaScript apps, is in third-party code. The report also found about 51 percent of critical flaws in Java apps turn into security debt, while only about 45 percent of low to medium flaws progress into security debt.
Eng said, "With the overflowing volume of security flaws, developers are not prioritising those that present the most risk. While focusing on non-critical flaws may result in some quick fixes, developers should use their limited capacity to work on fixing critical flaws with the highest potential impact on security."
Putting visibility and prioritisation first: Universal connector & application security heatmap
Building on Veracode’s acquisition of Longbow Security in April this year, and the introduction of Longbow’s Repo Risk Visibility and Analysis capability in May, Universal Connector and Application Security Heatmap are designed with developers’ time in mind. The capabilities provide operational oversight to help developers and security teams quickly identify and prioritise the most important fixes for growing security debt across their applications.
Universal Connector allows organisations to quickly access disparate source data they otherwise couldn’t bring into the Longbow platform, meaning they don’t have to wait for a tool-specific connector. The Application Security Heatmap maps the application back to the owner and shows a 90-day risk trend, as well as enabling customisation of the risk threshold to meet organisational policy. Application security teams and developers can analyse each application, view the distribution of risk, and implement recommendations for the Best Next Action™ to remediate that risk.
"As organisations seek to find and fix mounting critical security debt, the need for risk-focused visibility and prioritisation is clear," said Derek Maki, Vice President of Product Management at Veracode. "The new capabilities in the Longbow platform provide our customers with a deeper understanding of an organisation’s riskiest applications, plus the unique ability to identify the top five most impactful solutions for improvement."
Enhanced by the Longbow acquisition, Veracode closes the gap between development and security teams, delivering visibility from code repositories to cloud assets and runtime. Longbow also identifies infrastructure-as-code and misconfiguration risk for cloud assets originating from repositories.