Backslash Security unveiled expansive new platform capabilities. With a broad roster of new on-premises integrations, security team workflow integrations and automation features, CI/CD integrations, and bolstered language support, Backslash now serves the full software development lifecycle and further supports the application security needs of large enterprises.
Mitigating the Risk of Security Debt: The State of Software Security in 2024
June 24, 2024
The majority of companies are drowning in security debt, making them vulnerable to attacks. And worst of all, they may not know it.
That's according to Veracode's latest State of Software Security 2024 Report, which examined more than one million applications across all scan types. Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 70% of organizations and 42% of applications. This debt has accumulated over time, accelerated by digital transformations and the introduction of AI coding tools that increase the speed of development. Applications themselves, meanwhile, have grown by about 40% a year regardless of their original size, accumulating flaws as they age.
The proliferation of AI and regulatory changes, such as those put forth by the White House Executive Order on AI and the EU Cyber Resilience Act, have raised the profile of cybersecurity and increased awareness about insecure code at scale. But there is still a lot of work required to increase education about security debt to tackle the problem.
Peeling Back the Layers of Risk
The report found 71% of organizations have some level of security debt, and that nearly half (46%) have critical security debt resulting from persistent flaws of high severity that create serious risk to a company.
Third-party code from open-source libraries significantly contributes to the volume of security debt. While 63% of applications have flaws in first-party code, 70% contain flaws in third-party code. Third-party code flaws also have an impact on remediation timelines, taking 50% longer to fix than first-party flaws. Half of the known flaws in third-party open-source code remain unresolved for more than 11 months, compared with seven months for flaws in first-party code.
And the time it takes to remediate flaws is critical to reducing debt. Our research shows the teams that fix flaws the fastest reduce critical security debt by 75% — that is, compared with the slowest teams, the fastest teams lower critical debt from 22% to just over 5%. Moreover, faster-acting teams are four times less likely to let critical security debt turn up in their applications in the first place.
Overall, however, few teams are fixing flaws fast enough to substantially reduce security debt. Only 64% of applications have a remediation capacity that's sufficient to eliminate critical security debt. Even when teams have a sufficient overall fix rate, they are not always fixing the most critical flaws.
Risk Prioritization Is Essential
When the rate of new and existing flaws exceeds an organization's capacity to remediate them, prioritizing which flaws to fix first is essential. Currently, developers may be picking the flaws that are the easiest to fix — in the interest of getting fixes done more quickly — while overlooking the flaws that will have the most impact on the organization. Teams need to focus their efforts.
Fortunately, just 3% of all flaws are persistent, high-severity flaws that constitute "critical" security debt. For most if not all development teams, fixing 3% of flaws is an eminently achievable target.
Managing Security Debt: Fix Flaws Faster
Even when prioritizing the most serious flaws, teams still need to fix flaws more quickly if they're going to reduce security debt significantly or eliminate it altogether. Artificial intelligence, while often cited as a potential threat to cybersecurity, can make accelerating code fixes a reality. Large language models (LLMs) that have been trained on specific Common Weakness Enumerations (CWEs) can be especially effective working alongside developers to suggest secure fixes at scale.
That kind of scaling is necessary to overcome the current constraints on fix capacity, where new applications and accompanying vulnerabilities are often introduced faster than teams can remediate flaws. Using AI to augment remediation brings greater speed and efficiency to the process, while also freeing developers to focus on other high-value projects.
Driving Down Security Debt
Accumulating security debt poses a serious—and often unseen—threat to organizations that will likely continue to grow with the greater use of AI and third-party code.
Organizations and developers working to lower the amount of security debt need to think about the time, money and education they put behind security teams. Too often, flaw remediation is not dictated by people for whom risk management is a priority, which may be another reason security debt is so high.
Identifying and prioritizing the most critical risks, and training developers to leverage AI models for remediation at scale, can help organizations get their security debt under control.
Industry News
June 27, 2024
June 27, 2024
Progress received numerous accolades from prestigious organizations for its employee satisfaction, executive leadership, inclusive workplace and commitment to corporate social responsibility.
June 27, 2024
GitHub announced the general availability of GitHub Artifact Attestations.
June 26, 2024
Datadog announced Datadog Kubernetes Autoscaling, a set of capabilities that intelligently automates resource optimization and can automatically scale customers’ Kubernetes environments based on real-time and historical utilization metrics.
June 26, 2024
AppMap announced the launch and general availability of Navie, a runtime aware AI-powered coder.
June 26, 2024
ReversingLabs introduced Spectra Assure Community, a free community resource that makes it easy for software producers to quickly vet open source software packages by providing a comprehensive risk analysis.
June 26, 2024
Kovair Software has joined the Boomi Technology Partner Program, bringing managed DevOps-as-a-Service to the Boomi Enterprise Platform.
June 26, 2024
OutSystems announced its collaboration with KPMG in Canada, a premier provider of professional services.
June 25, 2024
JFrog has entered into a definitive agreement to acquire Qwak AI Ltd., creator of an AI and MLOps platform.
June 25, 2024
OutSystems announced that OutSystems Developer Cloud (ODC) has achieved SOC 2 attestation, a requirement of organizations deploying mission-critical systems and applications that manage sensitive personal data.
June 25, 2024
Bitwarden announced public beta availability for integrating Bitwarden Secrets Manager into Kubernetes workflows for developers and DevOps teams.
June 25, 2024
GitLab achieved “In Process” designation at the Moderate impact level from the Federal Risk and Authorization Management Program (FedRAMP).
June 24, 2024
Grid Dynamics announced its AI for Developer Productivity Toolkit.
June 24, 2024
Multiplayer, a collaborative developer platform for teams who work on distributed software, officially announced its General Availability.
June 24, 2024
DataStax announced major updates to its Generative AI development platform that help make retrieval augmented generation (RAG) powered application development 100X faster.
