Product reviews, deals and the latest tech news

The first year after release, a huge number of apps have security flaws

New research shows that 32% of applications in their first year have security problems, and that percentage rises to 70% in their fifth year.

Veracode released a paper stating that to reduce the likelihood of serious problems, firms should do vulnerability scans early, frequently, and in several methods.

After introducing problems, most apps enter a “honeymoon phase” where few, if any, new flaws are introduced, according to the company’s analysis of over three-quarters of a million applications from commercial software providers, software outsourcers, and open-source organisations.

Bad decisions that cost a lot

After then, some developers revert to their old, careless ways, increasing the rate at which new bugs are introduced to the code to about 35% after five years.

Veracode warns that putting off fixing security holes might end up costing a lot more money in the long run, pointing to studies that find the average cost of a data breach is now $4.35 million.

Instead, developers should take measures like attending training courses and using several scan types, API scanning among them, to lower the risk of introducing bugs into their code.

The organisation also emphasised the significance of scan frequency. In addition, it is important that they begin working on technical and security debt as soon as possible, that they place an emphasis on automation and developer security training, and that they establish a protocol for application lifecycle management that includes change management, resource allocation, and organisational controls.

“Using a software composition analysis (SCA) solution that leverages multiple sources for flaws, beyond the National Vulnerability Database, will give advance warning to teams once a vulnerability is disclosed and enable them to implement safeguards more quickly,” said Chris Eng, Chief Research Officer at Veracode.

“It is also advised that organisations establish rules on vulnerability detection and management and look at methods to lessen their reliance on external parties.”