Chance that flaws will ever be dealt with diminishes the longer they stick around
A new report by Veracode highlights the risk of growing security debt for applications as a result of developers prioritizing fixes for new security flaws over resolving older problems. 83% of applications contain at least one vulnerability when they are scanned for the first time, with the most common issues being information leakage (64%), cryptographic issues (62%), and CRLF injection (61%). The majority (56%) of security flaws are fixed, but the longer issues remain unresolved, the less likely developers are to ever address them.
Veracode CTO Chris Wysopal said that while application has improved over the past decade, “the report also shows us there is plenty of room for improvement, specifically when it comes to the issue of mounting security debt,” adding that “like credit card debt, even carrying a small balance forward on a recurring basis can quickly leave you in the hole.”