close
close

As developers struggle to prioritize security debt, Veracode announces latest innovations to identify and standardize critical risks

Posted on by darion

New Veracode Research Shows Developers Fix Low-Severity Vulnerabilities with More Urgency Than High-Severity Flaws; New Capabilities Enable Organizations to Prioritize Fixing What Matters Most

Black Hat USA Conference (Booth #2536) Veracode, a global leader in application risk management, today announced platform innovations that will help organizations discover, prioritize, and reduce security debt across their growing attack surface. Universal Connector and Application Security Heatmap, two of Longbow’s newest capabilities powered by Veracode, enable organizations to quickly connect findings from any source and view applications that contribute the greatest risk. Together, Universal Connector and Application Security Heatmap provide clear, operational visibility into assets and issues, enabling prioritization of remediation actions by measurable risk.

This press release contains multimedia. View the full release here: https://www.businesswire.com/news/home/20240801020287/en/

Figure 1: The State of Software Security in 2024 Language Snapshot (Graphic: Business Wire)

Figure 1: The State of Software Security in 2024 Language Snapshot (Graphic: Business Wire)

“The combination of mounting security debt, an expanding attack surface that has become more vulnerable to attacks due to generative AI, and an overwhelming number of security alerts make it difficult for organizations to prioritize which application threats to address,” said Chris Eng, research director at Veracode. “In fact, our State of Software Security research shows that many organizations are more focused on fixing low-impact bugs than critical bugs. Security leaders need technology that enables them to effectively detect and manage application risk, then reduce that risk by focusing on the issues that have the greatest impact across the attack surface.”

Secured Debt Prioritization: Critical and Non-Critical

In its State of Software Security 2024 Language Snapshot report, Veracode revealed the varying incidence of “critical” and “noncritical” security debt across applications written in different languages. Critical security debt is defined in the report as serious vulnerabilities that remain unpatched for more than a year. If exploited, these vulnerabilities would severely compromise the integrity and availability of an organization.

The study found that while most security debt exists in first-party code written by internal developers, the most critical security debt is found in third-party code (e.g., open-source software imported into the codebase). For example, 80 percent of critical debt in Java applications and 63 percent in JavaScript applications is found in third-party code. The report also found that about 51 percent of critical defects in Java applications convert to security debt, while only about 45 percent of small and medium defects convert to security debt.

Eng said, “With a plethora of vulnerabilities, developers are not prioritizing those that pose the greatest risk. While focusing on non-critical vulnerabilities may result in a few quick fixes, developers should use their limited resources to work on fixing critical vulnerabilities with the highest potential security impact.”

Prioritization and Visibility: Universal Connector App Security Heatmap

Building on Veracode’s acquisition of Longbow Security in April of this year and the introduction of Longbow’s Repo Risk Visibility and Analysis capabilities in May, the Universal Connector and Application Security Heatmap are designed with developer time in mind. These capabilities provide operational oversight to help developers and security teams quickly identify and prioritize the most important fixes to the growing security debt in their applications.

The Universal Connector allows organizations to quickly access a variety of source data that they otherwise wouldn’t be able to bring into the Longbow platform, meaning they don’t have to wait for a tool-specific connector. The Application Security Heatmap maps an application back to its owner and shows a 90-day risk trend, and also allows for risk threshold adjustments to meet organizational policies. Application security teams and developers can analyze each application, view the risk distribution, and implement recommendations on the best next action to address that risk.

“As organizations seek to find and fix mounting critical security debt, the need for risk-oriented visibility and prioritization is clear,” said Derek Maki, vice president of product management at Veracode. “The new capabilities in the Longbow platform give our customers a deeper understanding of their organizations’ riskiest applications, as well as the unique ability to identify the five most impactful solutions for improvement.”

Enhanced with the acquisition of Longbow, Veracode closes the gap between development and security teams by providing visibility from code repositories to cloud assets and the runtime. Longbow also identifies infrastructure-as-code and misconfiguration risks for cloud assets originating from repositories.

Longbow Universal Connector and Application Security Heatmap are available immediately. For more information, visit the website or watch the interview with Brian Roche, CEO of Veracode, and Derek Maki.

The full State of Software Security 2024 Language Snapshot report is available on the Veracode website.

Visitors to Black Hat USA, August 3–8, 2024, can learn more about the Veracode platform and new features by visiting Veracode booth #2536 and viewing a demo.

About the Software Security Status Report

The Veracode State of Software Security 2024 report analyzed data from large and small companies, commercial software vendors, software outsourcing companies, and open source projects. The research draws from over one million (1,007,133) applications across all scan types, 1,553,022 dynamic analysis scans, and 11,429,365 static analysis scans. All of these scans generated 96 million raw static results, 4 million raw dynamic results, and 12.2 million raw software composition analysis results.

About Veracode

Veracode is the global leader in application risk management for the AI ​​era. Powered by trillions of lines of code scans and a proprietary AI-powered remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from development to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to gain accurate, actionable visibility into exploitable risks, achieve real-time vulnerability remediation, and reduce security debt at scale. Veracode is an award-winning company that provides full software lifecycle security capabilities, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.

For more information, visit www.veracode.com, the Veracode blog, LinkedIn, and X.

Copyright 2024 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands, or logos are the property of their respective owners. All other trademarks mentioned herein are the property of their respective owners.

Communication:

For more information please contact:
Katy Gwilliam

[email protected]