Security teams need to focus on keeping their open source libraries up to date after a recent study found that nearly 97 percent of Java applications assessed in the study contained at least one component with a known vulnerability.
The report is based on real application risk postures, drawn from code-level analysis and found that some vulnerabilities could exist in products for years before being discovered in patched as researchers found that the most common occurring vulnerable component in Java was released in July 2013 but wasn't identified and patched until November 2015, according to the annual State of Software Security Report conducted by Veracode.
The bug was observed in more than 30 percent of Java applications while the second most common vulnerability was observer in more than 12 percent of all Java applications. Researchers also found that 60 percent of applications failed security policies upon first scan and that the top quartile or companies fix nearly 70 percent more vulnerabilities than the average company.
“We were surprised by the continued vulnerability of applications in the healthcare industry vertical, which had the second lowest initial quality rate but the lowest fix rate and the highest prevalence of cryptographic and credentials management vulnerabilities,” Veracode Senior Director of Product Marketing Tim Jarrett told SCMagazine.com via emailed comments.“Given the sensitivity of health data protected by healthcare applications, this is a serious concern.”
Jarret added that the data shows the increasing need to manage application risk as an enterprise risk because businesses in every industry deliver more and more value via software in one form or another.
To help combat these threats, researchers argue that giving developers more power helps improve security by allowing them to use techniques such as sandboxing technologies to scan apps prior to assurance testing which have shown to double fix rates, according to the report.
Remediation coaching and secure coding training are helpful for developers who may not be familiar with appsec concepts and could help developers catch vulnerabilities in the customer's own code that don't already have a patch available but are the responsibility of the developer to patch, Jarrett said.
He also recommend that users plan on using several testing several technologies, integrating application security in the development cycle, and train in secure development concepts.