More than three-quarters of applications written in Java and .NET have at least one vulnerability from the OWASP Top 10, a list of software weaknesses that developers typically use as a baseline for application security.
That’s according to software-testing firm Veracode, which found in an analysis of nearly 760,000 applications that about one in five applications using those two programming ecosystems had at least one high-severity or critical-severity vulnerability.
Overall, the average application had a 27% chance to have at least one vulnerability introduced every month, with poorly written apps and infrequently scanned apps likely to be more flawed, while applications with a longer history of security processes and being written by well-trained developers less likely to introduce new flaws, the data showed.
The analysis highlights the importance of integrating security into the development pipeline, says Tim Jarrett, vice president of strategic product management at Veracode.
“The data consistently shows that if you build a habit of security into your process, you have a better outcome, both in terms of fixing overall flaws, and … you also slow the flood of stuff coming in, and that makes a big difference,” he says.
Meanwhile, software companies and development teams continue to struggle to eliminate defects and vulnerabilities from application code. While developers and open source projects are fixing software flaws more quickly, the half-life of the average vulnerability continues to be measured in months, not days or weeks, according to Veracode’s “State of Software Security” report, published on Jan. 11.
For example, Java and .NET applications, which accounted for 71% of total applications analyzed by the study, saw half of flaws still impacting the applications after 243 days and 158 days, respectively.
Application bloat and age both had a significant negative impact on their security. The average application accumulated about 40% more code and is more likely to have vulnerabilities. About 54% of two-year old applications have flaws, while 69% of five-year-old applications flaws, the analysis found.
New Programming Languages Languish
In addition, the most loved programming language, Rust, does not even show up in Veracode’s data, while developers’ No. 6, Python, only accounts for less than 4% of scanned applications.
Part of the reason for the disconnect is that established applications are written in established programming languages, says Veracode’s Jarrett.
“You have the full universe of all the code that is out there, and then you have the kind of the foam on the crest of the wave of new development is happening, and that is where you see people picking up Go and Rust and Dart and Flutter,” he says.
Because of the aggregated codebases of applications written in those languages, that situation likely will not change.
“Old applications never die, unfortunately, so there is a lot of critical mass in enterprises with these big Java codebases and .NET codebases,” he says.