Security Flaws The Effects of Time and Language
Written by Sue Gee   
Wednesday, 22 February 2023

JavaScript applications have fewer flaws and faster flaw resolution than Java and .NET applications. This finding is from AppSec company Veracode, which recently brought out its annual State of Software Security Report based on an analysis of three-quarters of a million applications, data it has collected over 17 years.

Introducing the State of Software Security 2023 Report on the Veracode blog, Natalie Tischler reveals that the first takeaway from the analysis is about the accumulation of  security flaws over time.  By the time they move into production, nearly one-third of all applications have flaws. Irrespective of their original size, applications grow by about 40 percent year-on -year and so does the incidence of flaws. Nearly 70 percent of applications contain at least one by the time they have been in production for five years, and by the time an application is 10 years old only 10% are free of security flaws

Looking at flaw prevalence in the latest scan over the past twelve months, over 74% of applications contain at least one:

verac flaws 

Regarding flaws defined on the OWASP Top 10, a list of the 10 most common application vulnerabilities from the Open Web Application Security Project, 70% are affected. In addition over 56% have at least one flaw included in the CWE Top 25. However fewer than 20% have High Severity flaws which is a drop from the 24% when we reported on Veracode's findings two years ago.

This years' report includes a "rolling view" of the evolution of flaws which shows that things are improving as every measurement trends downwards of the last six years.

verac flaws timeIn its analysis undertaken to get a better handle on flaw introduction, security debt accumulation, and application lifecycle management, Veracode looked the top three languages - Java, used by 44% of the applications it covers, .NET (26%), and JavaScript (14%).

It found that while almost five out of every six .NET applications and over three out of four Java applications have reported flaws, only 55% of Javascript apps have any flaws.

verac flaws lang


Moreover when flaws are introduced into JavaScript applications they are resolved faster and can be seen here:

verac remed time

This graphic shows at the probability that a finding is still open as a function of the time since the flaw was first discovered. At first glance, the four curves Other, Java, .NET and JavaScript appear to be descending together closely, but they are not. In the case of Other the probability that a flaw is still open after three months is 67%, for Java it is 65%, for .NET 59% and JavaScript 54%. The expected time to remediate half of the open flaws is 272 days for Other, 243 days for Java, 158 days for .NET and only 116 days for JavaScript. After two years, while 27% of flaws in Java apps are still unremediated, this is the case of only 14% of those written in JavaScript. 




More Information

Veracode State of Software Security 2023 Report


Related Articles

Veracode Reveals Security Flaws

State of Software Security (2015)

Ever Increasing Need For Secure Programming

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.



Run WebAssembly Components Inside Node.js With Jco

Jco 1.0 has been just announced by the Bytecode Alliance.It's a native JavaScript WebAssembly toolchain and runtime that runs Wasm components inside Node.js. Why is that useful?

Avi Wigderson Gains Turing Award

Israeli mathematician and computer scientist, Avi Wigderson, is the recipient of the 2023 ACM A.M Turing Award which carries a $1 million prize with financial support from Google.

More News

raspberry pi books



or email your comment to:

Last Updated ( Wednesday, 22 February 2023 )