76% of apps contain flaws, and 24% of apps have flaws considered highly severe, states Veracode’s annual State of Software Security report. It says that 70% of apps are inheriting security flaws from their open-source libraries. According to the report, 30% of apps have more security bugs in their open-source libraries than in code written in-house.

Veracode said in the report that open-source libraries are a huge attack surface due to their omnipresence.  It also pointed out that developers should be verifying the safety of open-source libraries because there is no link between the quality of in-house code and open-source bugs.

Veracode noticed that 73% of the bugs it found as part of the report were patched. This is a big improvement in comparison with previous years when the number of patched bugs was in the mid-50% range. Despite that, it is still taking an average of six months to close half of the discovered flaws.

“For the most part, the top flaw types have stayed fairly consistent over the years. Volume 10 last year found that information leakage, cryptographic issues, CRLF injection, and code quality flaws were the most common types of flaws found in applications. In this year’s research, the top three did not move around, and the third-place ‘cryptographic issues’ are also found in almost two out of three applications with flaws in this report,” the report said.

According to Veracode’s heatmap of the worst bugs in the most popular programming languages, first place was taken by PHP, followed by C++, then Java, .Net, JavaScript, and Python. The last two are, doing considerably better than the others, with the worst flaws in each only being found in roughly 30% of apps.

Veracode describes which are the best practices to implement, regardless of the language in the report.

“Even if the developer has inherited an old, gargantuan application with heaps of security debt, and there is no one left who remembers why some things were coded that way, fixing flaws and adding new features don’t have to continue being difficult,” the report said.


“We’ve looked at the effect of nature and nurture on the security of our applications. We found that nurture—our decisions and actions—can overcome and improve the nature of the application and environment,” Veracode concluded.

Tags: , , , , , , , , , , , , , , , ,