A recent study highlights the growth in security debt and reveals that finding and fixing flaws is becoming increasingly critical if potential costly hacks are to be avoided.
For those unfamiliar with the term, let’s start by defining security debt. It is the accumulation of unfixed or unresolved security vulnerabilities, software that is out of date or other security risks that have not been addressed within an organisation’s technology infrastructure or applications. Simply put, it is technical debt that accumulates specifically in the cyber security domain.
Mitigating the related risks and minimising the impact of application security debt within any organisation involves proactively addressing security vulnerabilities, ensuring systems and software remain up to date in terms of fixes, patches and updates. Implementing robust security controls and aligning to industry best practices for secure software development are also essential parts of an effective overall security posture.
Application security debt has a compounding effect that can continuously increase the attack surface, resulting in greater risk and costly remediation as the codebase grows and evolves, while slowing down app development velocity.
A staggering but concerning statistic from the 2024 State of Software Security reveals that approximately 70% of applications have embedded flaws that are part of the Open Worldwide Application Security Project (OWASP) Top 10 most critical security risks to web application. Another community developed list of software and hardware weaknesses worth referencing is the Common Weakness Enumeration (CWE). This report references a metric called flaw density, which measures the number of application security (AppSec) flaws per megabyte (MB) of code identified. The average number of flaws for a typical application is estimated at 42 flaws for every 1MB of code based on current verified data.
But just how critical are these software security flaws? The report indicates that about 3% of all flaws are considered very high severity and 16% are very likely to be exploited by attackers. But it further suggests that 43.5% of all flaws represent a substantial attack surface for many organisations and must be managed to mitigate the associated risk. These flaws are most likely introduced through either one or a combination of first and third-party code, with flaws in the latter (open source) being typically higher.
Fortunately, various strategies and recommendations exist that will assist organisations to limit their security debt exposure. These include integrating security into the entire software development life cycle (SDLC), plus ongoing prioritisation and remediation of flaws identified. Embracing and adoption of multiple application testing methods is also immensely important, as is understanding your preferred language’s debt profile while leveraging automation and AI across the software supply chain to discover, identify and fix flaws.
Veracode Fix shifts the paradigm from find to fix, thus enabling organisations to reduce their agile backlog, save time and secure more without writing code by using AI augmented fixes trained on a curated dataset.
Technically, there are three key elements to Veracode Fix’s machine learning solution:
- The GPT transformer deep learning model much like ChatGPT.
- The data – Veracode Fix is trained on a proprietary and highly curated dataset of reference patches, unlike competitors trained on large, un-curated datasets.
- Training and alignment has supervised learning and alignment from Veracode’s team of expert security researchers and application security consultants.
Veracode Fix is the fusion of Veracode’s experience and the responsible adoption of AI technology in practice. It does not automatically change or modify customers’ code. A developer in the loop reviews and selects the suggested fixes to implement them.
Veracode is a sponsor of the annual ITWeb Security Summit 2024 to be held at Sandton Convention Centre in Sandton, Johannesburg, from 4 to 5 June 2024. Visit to register.
Written by: Greg Harrowsmith, CA Southern Africa Pre-Sales
Originally featured here