Why software 'security debt' is becoming a serious problem for developers

Software ‘security debt’ is plaguing companies around the world, experts have told ITPro, and it's forcing many to reevaluate how they they approach application security.

Over 70% of organizations have software containing flaws that have remained unfixed for longer than a year, constituting security debt, according to a new report from security specialist Veracode.

Veracode’s 2024 State of Software Security report scanned over one million applications and found nearly half (42%) contained flaws of this nature.

Furthermore, 46% of organizations were found to have persistent, high-severity flaws that went unaddressed for over a year, meeting the threshold for what Veracode describes as critical security debt.

Although the prevalence of high severity flaws in applications was shown to have dropped by half compared to 2016, Veracode’s chief research officer Chris Eng told ITPro firms need to take concrete steps towards securing their software.

“While we continue to see improvements in the security landscape, these findings are a wake-up call for organizations to address their security debt head-on.”

Larger tech enterprises appear to be the most likely to have critical levels of security debt, according to the report, with over three times as many large tech firms found to have critical security debt compared to government organizations.

Software security requires robust testing and increased focus on prioritization

The flaws that make up this debt were found in both the first-party code and third party application code taken from open source libraries, for example.

The study found nearly two-thirds (63%) of the applications scanned had flaws in the first-party code, compared to 70% that had flaws in their third-party code.

Almost 90% of all security debt across all active applications exists in first party code, according to the report, but third party code represents around two-thirds of the security debt classified as critical by Veracode.

Eng’s advice for reducing security debt caused by flaws in first party code is to better integrate security testing into the entire software development lifecycle (SDLC) to ensure devs catch issues earlier in the process.

If developers are forced to carry out security testing before they can merge new code into the main repository, this would go a long way in reducing flaws in first party code, Eng argued.

But, Eng noted, this is not how the majority of businesses operate their development teams.

“The problem is not every company is doing security testing at that level of granularity. They might be letting all the functional stuff go in from 100 different developers and then they’re doing the security checks at the end,” he explained.

“The further that you shift [security testing] to the developer’s desktop and have them see it as early as possible so they can fix it, the better, because number one it’s going to help them understand the issue more and [number two] it's going to build the habits around avoiding it.”

Another part of the solution, according to Eng, is encouraging firms to reevaluate how they prioritize tasks. If firms are smarter about which flaws they focus on fixing and how much capacity they are willing to allocate on these tasks, they can rapidly address their security vulnerabilities.

“What you actually find is that medium and low severity issues are fixed by organizations at almost exactly the same pace as high and critical (flaws) … what that tells us is that teams are not prioritizing the most important stuff that is presenting the most risk to the organization.”

Third party code responsible for the lion’s share of critical security debt

Eng said the prevalence of third-party code in software development is a growing concern, where firms fail to recognize that the efficiency gains achievable through borrowing code come with the added risk of inheriting security flaws.

“[Something] organizations will ignore is that you get the functionality but you also get the vulnerabilities, and that now becomes part of the maintenance [process]”.

A particular problem with the growing prevalence of third-party code across applications, is that without a robust patching framework, the risk posed to organizations grows as more vulnerabilities are discovered.

“It gets worse and worse as time goes on as other people are discovering vulnerabilities in the third party library and, unless you are patching them, your application is getting riskier and riskier over time”, Eng explained.

This is the reason third party code accounts for the majority of critical security debt, Eng argued, which can only really be addressed through much more rigorous and timely patching procedures.

“The problem is, if you just kept it up to date every time the maintainer releases a new minor version … there’s no breakage barely ever, it's very simple. When you let it go five years and then suddenly you are trying to jump from version one to version five there’s all sorts of breakage along the way”.

This contributes to longer remediation times for flaws in third party code, with third party flaws taking 50% longer to fix than those in the first party code base, according to the report.

Eng explains this is because, unlike first party code, third party libraries are continually updated by maintainers and devs are unable to simply jump to the latest version without running into compatibility issues.

“You can’t go directly there [version five], you’ve got to go from one to two to three to four and then every time you’ve got to run your tests, make sure something didn’t break, they didn't’ deprecate something that you were using, there just becomes exponentially more work to do, just like interest piling up on a credit card.”

As a result, ensuring third party code is continually patched to avoid issues snowballing into high severity security flaws should be a priority for businesses across the world, Eng claimed.