In its latest snapshot of the State of Software Security (SoSS) 2024 report, Veracode, a leader in application risk management, revealed concerning levels of security debt plaguing organizations across Europe, the Middle East, and Africa (EMEA). The report found that 68% of EMEA organizations are dealing with security debt, with 46% harboring high-severity flaws, deemed as 'critical' security debt, which pose a significant risk to their applications.
Security debt refers to software vulnerabilities that remain unfixed for over a year, often accumulating when developers lack the resources or time to address them. These unresolved flaws create a dangerous backlog that grows over time, leaving organizations more susceptible to potential cyberattacks. The stakes are especially high when it comes to critical flaws, which, according to the report, are the greatest threat and could lead to devastating breaches if left unaddressed.
Chris Eng, Veracode’s Chief Research Officer, emphasized the urgency of the findings, stating, "The findings of this year’s EMEA SoSS report are a wake-up call for organizations in the region. Businesses should have a laser focus on remediating critical security debt first, given these flaws present the highest risk."
Manual Fixes Falling Behind
One of the main challenges highlighted by the report is the slow remediation process, particularly for third-party code. Organizations in EMEA using manual methods to address flaws take an average of 19 months to fix vulnerabilities in third-party code, compared to 9 months for first-party code. This delay in addressing security issues can leave organizations vulnerable for extended periods.
Interestingly, while 84% of overall security debt stems from first-party code developed in-house, the report found that 80% of critical security debt originates from third-party code. This hidden risk is significantly higher in EMEA compared to the global rate of 65%, underscoring the need for better oversight of third-party software components.
AI's Role in Tackling Security Debt
The report also explored the dual role of artificial intelligence (AI) in software development and security. While AI code generators, such as GitHub CoPilot, have increased efficiency for developers, they can inadvertently introduce vulnerabilities. Recent research found that 36% of AI-generated code contains security flaws, underscoring the need for careful scrutiny of code produced by these tools.
However, AI also offers a powerful solution to the growing problem of security debt. Tools like Veracode Fix, an AI-powered remediation solution, can dramatically reduce the time it takes to address common vulnerabilities. Eng noted, "AI-powered remediation tools can save teams a significant amount of time by automating fix recommendations and tackling flaws at scale. For example, our AI-powered remediation solution, Veracode Fix, has slashed fix times for common vulnerabilities from days to minutes."
Strategies for Reducing Security Debt
The report suggests that organizations can manage their security debt by focusing on the most critical issues first. With 60% of flaws in EMEA organizations classified as neither critical nor security debt, teams can prioritize the remaining 4% of flaws that pose the highest risk. Once these high-severity issues are addressed, organizations can then move on to resolving less urgent vulnerabilities, balancing their efforts with available resources.
For companies looking to streamline this process, Application Security Posture Management (ASPM) tools offer a unified view of risk, tracking vulnerabilities across the software lifecycle. Veracode's own ASPM solution, Longbow, helps security teams prioritize vulnerabilities based on contextual analysis, providing actionable insights to mitigate risk with minimal effort.
As security debt continues to build, especially among EMEA organizations, the report serves as a call to action. Eng concluded, "The prevalence of security debt among EMEA organizations highlights the need for immediate action to protect businesses against future breaches. Security leaders and developers should focus on patching the most critical flaws that introduce the most risk given their context. AI-powered security solutions that scale remediation efforts will enable teams to tackle their growing security debt more efficiently and reduce the amount of time vulnerabilities can be exploited."
Comments