Software vulnerabilities are a simple fact of life. They are almost as guaranteed as death and taxes. Vulnerabilities expose applications to potential exploit and compromise, but according to a recent report from Veracode many organizations struggle to keep pace with patch management and the result is a growing security debt that may come back to haunt them.
Veracode released the State of Software Security (SOSS) Report Volume 10 in late October. The report is based on analysis of applications assessments submitted during the 12-month period from April 1, 2018 through March 31, 2019. It includes findings from static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing of over 85,000 applications.
Median vs. Average
When Veracode published Volume 1 of the State of Software Security Report, the average number of days organizations took to fix flaws was 59 days. In Volume 10, that average is nearly three times higher at 171 days.
According to the report, however, the median is still 59 days. Why is that? The reality is that both metrics provide useful information, but both can also be misleading or even meaningless. The average is calculated by taking the total of all values and dividing by the number of values. Median is determined by listing the data values in order and selecting the value in the middle so that half of the values are higher, and half are lower.
For example, consider this set of numbers: 2, 3, 4, 5, 6, 7, 142. The average is 24, but the median is 5. The average is easily skewed by the very high outlier value of 142, while the median essentially ignores it.
What that means from the perspective of the Veracode report is that half of the vulnerabilities are addressed in less than 59 days and half of them take longer than 59 days. The fact that the average is 171 days suggests that there are some very high outliers on the upper end of the range that skew the result. The report explains, “This indicates most fixes happen quickly, but there’s a long and growing tail of unresolved findings.”
Growing Security Debt
The report reveals some encouraging trends. The percentage of applications that have at least one flaw ahs increased 11% over the last 10 years—but that could also be a reflection of both increased complexity of software and the improved methods and techniques for testing. The silver lining is that the percentage of applications that contain high-severity flaws has dropped by 14% during that same time. Keep in mind that we are also talking about 50 times more applications tested. Increasing the number of applications tested by 50 times and finding a decrease in applications with high-severity flaws is good news.
DevOps has accelerated the pace of application development and the nature of continuous development and continuous testing has helped organizations reduce the time it takes to remediate vulnerabilities. Unfortunately, it seems that many focus on new vulnerabilities while leaving older flaws as a lower priority. Those older vulnerabilities accumulate over time and create security debt that leaves the applications open to unnecessary risk.
“Over the past 10 years, we’ve seen a vast improvement in the overall state of application security. We’ve gone from having to discuss why AppSec is important to having conversations about the best way to approach the problem. This change is reflected in the data that shows companies are fixing a higher percentage of flaws than ever before,” said Chris Wysopal, cofounder and Chief Technology Officer at Veracode in a press release. “However, the report also shows us there is plenty of room for improvement, specifically when it comes to the issue of mounting security debt. Like credit card debt, even carrying a small balance forward on a recurring basis can quickly leave you in the hole.”
What kind of flaws make up the security debt? According to the report, “The largest amount of debt across applications comes from Cross-site Scripting (XSS), with Injection, Authentication, and Misconfiguration flaws making up sizable portions as well. We consider this noteworthy, as Injection is the second most prevalent flaw category in reported exploits.”
In other words, the flaws that are being treated as lower priority and adding to the security debt are the ones that attackers target and exploit.
Take a look at the full report for yourself. It has more valuable insights than I can share here—including evidence that shows a strong correlation between frequency of application scanning and the reduction of security debt.