Nearly all (97 per cent) of Java applications contain at least one component with a known vulnerability, according to a new study by app security firm Veracode.

Veracode reports year-over-year improvements in the code organisations write, a positive finding somewhat undone by the increasing proliferation of risk from open source and third party component use. A single popular component with a critical vulnerability spread to more than 80,000 other software components, which were in turn then used in the development of potentially millions of software programs.

“The prevalent use of open source components in software development is creating unmanaged, systemic risks across companies and industries,” said Brian Fitzgerald, CMO at Veracode.

The Veracode sitrep also highlights the progress and remaining challenges in software development more generally. Three in five (60 per cent) of applications fail security policies upon first scan, it says.

Best practices in secure software development are emerging but they’re still not pervasive enough to make a difference across the software development market as a whole.

One positive improvement came from the practice among more forward-thinking organisations of giving developers more power to improve security. For example, if developers used sandbox technology to scan apps prior to assurance testing this resulted in a doubling in fix rates.

Training developers can make an even bigger difference. Best practices like remediation coaching and eLearning can improve vulnerability fix rates by much more, with a sixfold increase in fix rate performance recorded in some cases, according to Veracode.

DevOps practices are taking hold among industry leaders who have established mature application security programmes. Some applications being scanned multiple times per day. The average security tests per app is seven, with some apps being scanned 600-700 times, Building security into DevOps processes (DevSecOps) can yield great results for organisations in reducing risk without slowing down software development, Veracode argues.

Despite improvements in some quarters web applications remain fragile: More than half of web applications tested using Veracode’s tools were affected by misconfigured secure communications or other security defence shortcomings.

Veracode’s seventh State of Software Security Report (download here, registration required) covers metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments, using Veracode’s code audit tools over the last 18 months. ®