Code is “drowning in security debt” says Veracode – and AI is both problem and solution

Code is “drowning in security debt” says Veracode – and AI is both problem and solution
Drowning in security debt

A new “State of software security” report says application code is “drowning in debt”, where debt is defined as flaws that remain for longer than a year, and that AI-generated code is no more secure than that written by humans – but it adds that AI trained on common software weaknesses (CWEs) can accelerate code fixes.

The Veracode State of Software Security 2024 report, based on around 13 million code scans across 1 million applications, states that 63 percent of applications have flaws in first-party code, and 70 percent flaws in third-party code. In around 42 percent of applications, vulnerabilities are unfixed for a year or longer, becoming security debt; and 71 percent of organizations are affected.

Not all programming languages are equal when it comes to security issues. The worst, by some measures, is Visual Basic 6 (VB6) – long deprecated by Microsoft but still running business-critical applications. Perl and COBOL also score badly, with these three described by the researchers as “holdovers of legacy codebases”.

Python applications, by contrast, are among the least likely to exhibit security debt, though not necessarily because of inherent safety. A flaw in a Java application has a 46 percent chance of becoming security debt, the paper says, and in a Python application the chance is halved, but “this likely stems from Java’s role in large, complex enterprise applications and Python being popular for lighter apps.”

Security flaws by programming language according to a new software security report: Perl, COBOL and Visual Basic 6 applications are the most affected

AI-generated code is no better or worse for security, says chief research officer Chris Eng, referencing this 2022 report from the blackhat USA conference in 2022, though given the rapid evolution of AI coding that may now have changed. 

That said, the researchers “strongly believe that AI can make the dream of accelerating code fixes a reality,” the paper states, “especially with using LLMs [large language models] that have been trained on specific CWEs.”

The types of flaws and the chance that they are fixed within one year

We note that Veracode has an interest in hyping the dangers, since it markets preventative tools, and that not all theoretical vulnerabilities translate into real-world risks. The report acknowledges the latter, stating that only about 3 percent of flaws are high severity. Nevertheless, “16 percent are very likely to be exploited by attackers,” the report claims.

Although the figures remain high, the trend is down, with high severity flaws diminishing from 37.9 percent in 2016 to 17.9 percent today.

Third-party code can be the hardest to fix. Vulnerable and outdated components from third-parties are more likely to become security debt, according to the report. One issue is that more than half of applications use open source libraries with fewer than 10 contributors, according to Veracode. It can be difficult to eliminate vulnerable components from an application, if other important components depend on them. “Libraries with more contributors tend to have better security scores,” the researchers say, also noting that frequent updates generally correlate with better security.

Other important factors are the age and size of applications. Large applications have the most security debt, the report says, and older applications have more debt since “the pace of remediation tends to wane as an application ages.”

What can developers do? It is a matter of integrating security into the software development lifecycle, the paper concludes, with scans, AI remediation, threat modelling, developer education and more. In addition, the ability to update applications frequently means fixes are more quickly applied and deployed.

Retiring those VB6 applications would also be a good plan, perhaps.