72 percent of applications contain vulnerabilities, and 12 percent are considered 'high severity' – the lowest of all industries analyzed
Sector still has room for improvement, with some of the lowest and slowest fix rates, especially for open-source flaws
BURLINGTON, Mass. – October 19, 2022 – Veracode, a leading global provider of application security testing solutions, today revealed that the manufacturing sector has the lowest number of software security flaws, dethroning financial services which took first place last year. The data was published in the company’s annual State of Software Security (SoSS) report v12, which analyzed 20 million scans across half a million applications in the manufacturing, healthcare, financial services, technology, retail, and government sectors.
While the industry grappled with increased pressure and demand on the supply chain, manufacturing emerged as the most-targeted industry by cybercriminals in 2021, with vulnerability exploitation identified as the top initial attack vector*. Securing the software supply chain has, therefore, never been a greater priority since mandates like the US Executive Order on Cybersecurity and the EU Cyber Resilience Act put the issue firmly in the spotlight.
Chris Eng, Chief Research Officer at Veracode, said, “It’s encouraging to see flaw reduction over the past year as manufacturing organizations continue to make software security a priority—especially since technological innovation has led to the increased adoption of new platforms and environments. Last year, we found 76 percent of manufacturing apps contained flaws, with 21 percent considered ‘high severity’. These figures have decreased considerably.”
Open-source Security Flaws Stick Around for Longer
Despite the positive results in terms of flaw prevalence, Veracode’s research revealed the manufacturing sector—alongside healthcare and technology—has the lowest proportion of flaws that are fixed once they’re discovered. More alarming is the amount of time taken to remediate flaws—manufacturing industries post among the slowest timeframes for flaws discovered by static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA). For example, around 55 percent of flaws discovered by static analysis remain unfixed after one year, and the manufacturing sector consistently lags behind the overall average by four months.
Flaws in third-party libraries found through SCA stick around longer for all industries, with 30 percent of vulnerable libraries remining unresolved after two years. For the manufacturing sector, that statistic rises to over 40 percent, lagging the cross-industry average by more than six months.
Eng said, “This may be influenced by a larger number of specialized, industrial applications that have fewer, but harder to fix, flaws than in other industries. These results amplify the need for manufacturers to focus on addressing flaws in a timely fashion.”
Some Flaws Are More Common Than Others
Eng closed, “The safety of businesses and critical infrastructure is largely dependent on the software supply chain being secure and this can only be achieved by having visibility of its components. Integrating security early in the software development lifecycle and leveraging tools to generate a Software Bill of Materials (SBOM) will provide manufacturers with assurance that the products they place in the market have fewer vulnerabilities and, therefore, less risk.”
* IBM Security, “X-Force Threat Intelligence Index”, February 2022
About the State of Software Security Report
The Veracode State of Software Security (SoSS) v12 analyzed the full historical data from Veracode services and customers. This accounts for a total of more than half a million applications (592,720) that used all scan types, more than a million dynamic analysis scans (1,034,855), more than five million static analysis scans (5,137,882) and more than 18 million software composition analysis scans (18,473,203). All those scans produced 42 million raw static findings, 3.5 million raw dynamic findings, and six million raw SCA findings.
The data represents large and small companies, commercial software suppliers, software outsourcers, and open-source projects. In most analyses, an application was counted only once, even if it was submitted multiple times as vulnerabilities were remediated, and new versions uploaded.
Veracode is intelligent software security. The Veracode Software Security Platform continuously finds flaws and vulnerabilities at every stage of the modern software development lifecycle. Prompted by powerful AI trained by trillions of lines of code, Veracode customers fix flaws faster with high accuracy. Trusted by security teams, developers, and business leaders from thousands of the world’s leading organizations, Veracode is the pioneer, continuing to redefine what intelligent software security means. Learn more at www.veracode.com, on the Veracode blog, on Linkedin, and on Twitter.
Copyright © 2023 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.