| Software Security Report Finds Third Party Code Most Problematic |
| Wednesday, 12 March 2025 |
|
The latest edition of Veracode's annual State of Software Security report has identified that 80% of the applications tested over the last year have at least one security flaw, and just under half of all applications have flaws ranked in the OWASP Top 10 as the 10 most critical risks.
These findings come from Veracode which recently brought out the 2025 Edition of its annual State of Software Security report. Veracode is an application security company specialising in SaaS application security that integrates application analysis into development pipelines. The company's annual report looks at the state of software security as revealed by 1.8 million SAST, DAST, and SCA scans of 457,000 applications.
The headline takeaway is that the vast majority of applications tested have at least one security flaw, with half ranking in the OWASP Top 10. OWASP is the Open Worldwide Application Security Project, and highlights the top ten critical risks as broken access control, cryptographic failures, injection (including cross-site scripting), insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server-side request forgery.
However, Veracode does point out that:
While the level of flaws, and specifically high severity flaws, remains high, we’re happy to report that the proportion of applications failing OWASP Top 10 and CWE Top 25 tests is steadily declining. Of particular note, the prevalence of high-severity flaws has been cut in half over the last decade.
The percentage of apps passing the OWASP Top 10 has increased 63% in 5 years (from 32% to 52%). It's still the case, though, over one-third of apps contain those considered most dangerous. While more apps now pass the OWASP Top 10, this is balanced by the finding that the percentage of apps with high severity flaws has increased by 181%. What's more, the average number of days to fix those flaws has increased by 47%, from 171 days in 2020 to 252 days in 2025.
In terms of what sort of software caused problems, 64% of applications have flaws in first-party code, while 70% of applications have flaws in third-party code. This is confirmed by a finding in the report that a third of companies report that 96 percent of critical problems exist in third-party code, and over a quarter of organizations live in the strange reality where all of their critical debt is contained in open-source libraries.
This is exacerbated by the fact that problems in open source projects often take longer to resolve, with a half-life of 12 months compared to 8 months for first-party code. As the report points out:
"many opensource libraries are dependent on a single contributor who isn't motivated to update their code in a timeframe that's consistent with your risk tolerance and needs."
|
