Application Security Report: Open source code is still “a blessing and a curse”
A new Veracode Application Security Report reveals that while things are generally improving, some lingering issues remain, including the use of faulty open-source and third-party code libraries.
This discovery happens in the 12th Software security status application security testing specialist report. The report is based on data collected from Veracode services and customers, including millions of scans of various types. The report includes findings on applications that were subjected to static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing.
“Open source libraries are still a significant cause for concern,” the report says, referring to a persistent and well-documented problem which continues today. Some of this persistence could be due to developer habits.
“Most developers keep the same libraries year after year,” one section of the report states, while another states that “history tells us that we will experience the same types of defects year after year.”
Nevertheless, the report notes that third-party libraries now have fewer defects and are processed faster.
“On a positive note, there is a noticeable improvement in 3rd party defect fix time. one year.”
In addition to looking at the use of software scanning tools and analyzing software vulnerabilities, the report examines how vulnerabilities are patched and looks at the future of secure software. Overall, things are looking up, as the report says: “The trend across all applications is a general reduction in defect prevalence.”
However, Veracode noted, increased connectivity of all kinds and the rise of connected, distributed microservices have complicated the application security picture.
“But it’s not just increased connectivity that’s shaping the security landscape, it’s hypercompetitiveness and the need for constant innovation,” the report says. “To move faster, many development teams have turned to cloud-native technologies, microservices architectures, and open-source code to accelerate and scale their efforts. Additionally, development teams have adopted agile methodologies and are automating as many stages of the development process as possible.
“While this evolution increases the speed of the software development lifecycle, it also introduces new complexities and risks.”
Here are some highlights from the report:
- Microservices: In 2018, about 20% of apps incorporated multiple languages. This year, less than 5% of apps used multiple languages, suggesting a pivot to smaller, single-language apps or microservices.
- The number of applications scanned has tripled: Organizations analyze an average of more than 17 new applications per quarter. This number is more than triple the number of apps scanned per quarter a decade ago.
- Organizations use several types of scanning: We saw a 31% increase in the use of multiple types of analytics between 2018 and 2021, with much of that gain coming from organizations using the full suite of static, dynamic, and SCA analytics.
- Most developers keep the same libraries year after year: We’ve found that developers stick to proven libraries and rarely attempt to refactor their code base to select the “coolest” or “most popular” libraries.
These specific data points lead to four generalizations about the report’s findings:
- The agile development of small modular applications has eaten up the world. We have witnessed an explosion in the number of applications analyzed. We’ve seen developers move from scanning their applications once a quarter to once a day, as well as expanding their use of different scanning technologies.
- Free and open source code will continue to be a blessing and a curse for developers. We don’t see any signs that the use of third-party libraries has changed dramatically, or even the libraries that developers use. Developers seem to be using fewer libraries with known flaws and that’s a reason for optimism.
- Applications are slowly but surely becoming more secure. Perhaps most encouraging throughout this analysis is that, in almost every area, we have seen steady progress towards more secure applications. While some defect subsets have increased in prevalence over time, the trend has generally been downward. That’s impressive, given that patch capacity and speed haven’t necessarily increased. We hope that this trend will continue and that the future will continue to be bright.
- New tools will continue to help improve the application security landscape. In the past, we’ve noted that using different types of scans means developers will fix all types of defects faster and more completely. Integrating these types of tools into continuous integration pipelines and IDEs will only accelerate developer adoption.
“Security debt can build up over time, and addressing it early can help mitigate future work,” Veracode said. “Using multiple types of analysis – static, dynamic, and software composition analysis – can paint a more complete picture of an application’s security and allow for faster and more comprehensive remediation.”