Security Flaws The Effects of Time and Language |
Written by Sue Gee |
Wednesday, 22 February 2023 |
JavaScript applications have fewer flaws and faster flaw resolution than Java and .NET applications. This finding is from AppSec company Veracode, which recently brought out its annual State of Software Security Report based on an analysis of three-quarters of a million applications, data it has collected over 17 years. Introducing the State of Software Security 2023 Report on the Veracode blog, Natalie Tischler reveals that the first takeaway from the analysis is about the accumulation of security flaws over time. By the time they move into production, nearly one-third of all applications have flaws. Irrespective of their original size, applications grow by about 40 percent year-on -year and so does the incidence of flaws. Nearly 70 percent of applications contain at least one by the time they have been in production for five years, and by the time an application is 10 years old only 10% are free of security flaws Looking at flaw prevalence in the latest scan over the past twelve months, over 74% of applications contain at least one:
Regarding flaws defined on the OWASP Top 10, a list of the 10 most common application vulnerabilities from the Open Web Application Security Project, 70% are affected. In addition over 56% have at least one flaw included in the CWE Top 25. However fewer than 20% have High Severity flaws which is a drop from the 24% when we reported on Veracode's findings two years ago. This years' report includes a "rolling view" of the evolution of flaws which shows that things are improving as every measurement trends downwards of the last six years. In its analysis undertaken to get a better handle on flaw introduction, security debt accumulation, and application lifecycle management, Veracode looked the top three languages - Java, used by 44% of the applications it covers, .NET (26%), and JavaScript (14%). It found that while almost five out of every six .NET applications and over three out of four Java applications have reported flaws, only 55% of Javascript apps have any flaws.
Moreover when flaws are introduced into JavaScript applications they are resolved faster and can be seen here: This graphic shows at the probability that a finding is still open as a function of the time since the flaw was first discovered. At first glance, the four curves Other, Java, .NET and JavaScript appear to be descending together closely, but they are not. In the case of Other the probability that a flaw is still open after three months is 67%, for Java it is 65%, for .NET 59% and JavaScript 54%. The expected time to remediate half of the open flaws is 272 days for Other, 243 days for Java, 158 days for .NET and only 116 days for JavaScript. After two years, while 27% of flaws in Java apps are still unremediated, this is the case of only 14% of those written in JavaScript.
More InformationVeracode State of Software Security 2023 Report Related ArticlesVeracode Reveals Security Flaws State of Software Security (2015) Ever Increasing Need For Secure Programming To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.
Comments
or email your comment to: comments@i-programmer.info |
Last Updated ( Wednesday, 22 February 2023 ) |