Mar 13, 2020

Most security flaws are never fixed

Security debt

Veracode, an application security company, released its 10th annual State of Software Security report. Veracode tested more than 85,000 applications across its customer base to learn more about the prevalence of security flaws and debt.

More apps have issues, but they’re less severe. According to Veracode, 83% of applications have at least one security flaw. That’s up nearly 10% since Veracode’s first report was released ten years ago. Only 20% of applications, however, have high-security vulnerabilities, down from 34% ten years ago.

Many issues are fixed quickly; others not so much. The median time to fix a security flaw is 59 days—unchanged from nearly a decade ago. Average time to remediation, however, has jumped up to 171 days, compared to 59 days just ten years ago.

Why the jump in average time? While many issues are rapidly fixed, development teams are increasingly letting other low-priority flaws fester for a long time—often months or years. That creates a long-tail of issues that increases the average remediation time.

According to the report, 30% of closed issues were closed in the first two weeks and 50% were closed in the first two months. Yet half of current open findings have been open more than 180 days.

Security debt is a mounting problem. Roughly 70% of development teams are keeping pace or pulling ahead in fixing security flaws—leading to a net reduction in issues. That means nearly 30% of teams are actively accruing security debt.

All told, just 56% of software flaws eventually get fixed—officially known as the fix rate. With so many unsolved problems, security debt seems unlikely to disappear any time soon.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.