A recent study highlights the growth in security debt and reveals that finding and fixing flaws is becoming increasingly critical if potential costly hacks are to be avoided.
For those unfamiliar with the term, let’s start by defining security debt. It is the accumulation of unfixed or unresolved security vulnerabilities, software that is out of date or other security risks that have not been addressed within an organisation’s technology infrastructure or applications. Simply put, it is technical debt that accumulates specifically in the cyber security domain.
Mitigating the related risks and minimising the impact of application security debt within any organisation involves proactively addressing security vulnerabilities, ensuring systems and software remain up to date in terms of fixes, patches and updates. Implementing robust security controls and aligning to industry best practices for secure software development are also essential parts of an effective overall security posture.
Application security debt has a compounding effect that can continuously increase the attack surface, resulting in greater risk and costly remediation as the codebase grows and evolves, while slowing down app development velocity.
A staggering but concerning statistic from the 2024 State of Software Security reveals that approximately 70% of applications have embedded flaws that are part of the Open Worldwide Application Security Project (OWASP) Top 10 most critical security risks to web application. Another community developed list of software and hardware weaknesses worth referencing is the Common Weakness Enumeration (CWE). This report references a metric called flaw density, which measures the number of application security (AppSec) flaws per megabyte (MB) of code identified. The average number of flaws for a typical application is estimated at 42 flaws for every 1MB of code based on current verified data.
But just how critical are these software security flaws? The report indicates that about 3% of all flaws are considered very high severity and 16% are very likely to be exploited by attackers. But it further suggests that 43.5% of all flaws represent a substantial attack surface for many organisations and must be managed to mitigate the associated risk. These flaws are most likely introduced through either one or a combination of first and third-party code, with flaws in the latter (open source) being typically higher.
Fortunately, various strategies and recommendations exist that will assist organisations to limit their security debt exposure. These include integrating security into the entire software development life cycle (SDLC), plus ongoing prioritisation and remediation of flaws identified. Embracing and adoption of multiple application testing methods is also immensely important, as is understanding your preferred language’s debt profile while leveraging automation and AI across the software supply chain to discover, identify and fix flaws.
Veracode Fix shifts the paradigm from find to fix, thus enabling organisations to reduce their agile backlog, save time and secure more without writing code by using AI augmented fixes trained on a curated dataset.
Technically, there are three key elements to Veracode Fix’s machine learning solution:
- The GPT transformer deep learning model much like ChatGPT.
- The data – Veracode Fix is trained on a proprietary and highly curated dataset of reference patches, unlike competitors trained on large, un-curated datasets.
- Training and alignment has supervised learning and alignment from Veracode’s team of expert security researchers and application security consultants.
Veracode Fix is the fusion of Veracode’s experience and the responsible adoption of AI technology in practice. It does not automatically change or modify customers’ code. A developer in the loop reviews and selects the suggested fixes to implement them.
Veracode is a sponsor of the annual ITWeb Security Summit 2024 to be held at Sandton Convention Centre in Sandton, Johannesburg, from 4 to 5 June 2024. Visit to register.
Share
CASA Software
CASA Software is a digital transformation organisation comprised of a highly skilled team of technology professionals. The company has over three decades experience in the South African and sub-Saharan ICT industry.
We help customers to transform and optimise ICT operations from mobile to mainframe, including hybrid and multi-cloud, to accelerate innovation while maximising customer value.
We partner with software industry technology leaders to enable our customers to realise the value of AI-driven operations and streamlined automation. Our solutions are designed to assist customers to securely embrace the challenges of digital transformation and the next AI driven era of computing.
Our customers include leaders in finance, telecommunications, retail, and the public sector.
Veracode
Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achievereal-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.