A worrying amount of commonly-used apps have high-severity security flaws, especially those used by companies in the technology sector, new research has found.
A report from Veracode analyzing 20 million scans across half a million applications in technology, manufacturing, retail, financial services, healthcare, and government sectors, found 24% of apps in the technology sector carry high-severity flaws.
Comparatively, that’s the second-highest proportion of applications with security flaws (79%), with only the public sector having it worse (82%).
Fixing the flaws
Among the most common types of vulnerabilities are server configurations, insecure dependencies, and information leakage, the report further states, saying that these findings “broadly follow” a similar pattern to other industries. However, the sector has the highest disparity from the industry average when it comes to cryptographic issues and information leakage, prompting the researchers to speculate how devs in the tech industry are savvier on data protection challenges.
When it comes to the number of fixed issues, the tech sector is somewhere in the middle. The companies are relatively fast to address the problems, though. It takes them up to 363 days to fix 50% of the flaws. While this is better than the average, there’s still plenty of room for improvement, Veracode added.
For Chief Research Officer at Veracode, Chris Eng, it’s not just about discovering the flaws, it’s also about reducing the number of flaws introduced into the code, in the first place. Furthermore, he believes businesses need to focus more on security testing automation.
“Log4j sparked a wake-up call for many organizations last December. This was followed by government action in the form of guidance from the Office of Management and Budget (OMB) and the European Cyber Resilience Act, both of which have a supply chain focus,” said Eng. “To improve performance in the year ahead, technology businesses should not only consider strategies that help developers reduce the rate of flaws introduced into code, but also put greater emphasis on automating security testing in the Continuous Integration/Continuous Delivery (CI/CD) pipeline to increase efficiencies.”
Cybercriminals often analyze internet-facing apps used by businesses, for vulnerabilities and flaws in the code. When they find one, they often use it to deploy web shells, which subsequently give them access to the company network, and endpoints (opens in new tab). After mapping out the network, and identifying all of the devices and data, they can launch the second stage of the attack, which is often either ransomware, malware, or data wipers.