Around 80 percent of applications developed in EMEA countries had at least one vulnerability. This is the result of the study “State of Software Security (SoSS) Report EMEA” by Veracode.
EMEA also has the highest percentage of high-severity vulnerabilities among all regions. This means that if a vulnerability is exploited, a critical problem could arise in the respective application. Because a high number of errors and vulnerabilities in software code correlates with an increased security risk. So it's no surprise that cyberattacks on the software supply chain will dominate the headlines in 2023.
The market researchers found that just over 80 percent of applications developed by EMEA organizations had at least one security vulnerability when last audited within 12 months. In the United States, this was the case for 73 percent of organizations. Additionally, the percentage of applications containing high-severity vulnerabilities was nearly 20 percent in EMEA, the highest of any region worldwide.
750.000 applications analyzed
“Our data shows that organizations worldwide are deploying a high number of applications with many of the top 25 Common Weakness Enumeration (CWE) vulnerabilities,” said Chris Eng, chief research officer at Veracode. “However, we found interesting regional differences, particularly around the use of third-party or open source code and the way vulnerabilities are introduced throughout an application's lifecycle,” Eng continued.
Analysis of data from more than 27 million scans of 750.000 applications forms the basis of Veracode's State of Software Security (SoSS) report on the status of software security. The latest report shows EMEA-specific results for 2023 for the UK, Germany, France, Italy and the Middle East and Africa.
But numbers alone do not show what consequences the exploitation of software vulnerabilities by hackers can have. As organizations across EMEA use an increasingly complex mix of third-party software, the exploitation of a serious vulnerability can affect thousands of victims simultaneously. Earlier this year, a vulnerability in the printing software tools PaperCut MF and PaperCut NG was actively exploited by hackers. Up to 70.000 organizations in 200 countries became potential victims. According to law enforcement officials, threat actors were able to use it to compromise educational institutions.
Java and third-party code pose significant security vulnerabilities
The study found notable regional differences in preferred programming languages. Java emerged as the preferred language for developers in EMEA. The study also showed that teams using Java fix vulnerabilities more slowly than developers using .NET or JavaScript. This means that many vulnerabilities persist or remain undetected for significantly longer, as Java applications consist of more than 95 percent third-party or open source code. This makes Java usage a key factor in the higher percentage of vulnerabilities in applications in the EMEA region. That's why Software Composition Analysis (SCA), which detects vulnerabilities in open source code, is so important. The study also shows that the proportion of SCA reported vulnerabilities in EMEA is higher than in other regions.
As generative AI becomes more important in software development, the risk of vulnerabilities from external sources increases. A study presented at Black Hat in 2022 showed vulnerabilities in 40 percent of code written by generative AI trained on massive, unprocessed data sets, including millions of public GitHub repositories. Therefore, it is critical that organizations use SCA tools to find and remediate vulnerabilities. This allows developers to benefit from the advantages of AI without jeopardizing the security of the applications.
Applications become more vulnerable over time
New code vulnerabilities occur at a much higher rate across the application lifecycle in EMEA than in other regions. Although companies in the EMEA region keep their applications up to date, there is less attention to quality. After a period of five years, 50 percent of applications in the EMEA region still have new errors. In comparison, this is only the case in around 30 percent worldwide. Overall, the probability of a vulnerability occurring in a given month is 27 percent.
It would therefore be beneficial for companies in the EMEA region to pay more attention to the latter part of the application lifecycle and scan applications more regularly. They should also prioritize security training for developers. The study shows that the probability that a vulnerability will occur falls from 10 percent to around 27 percent by participating in 25 interactive security exercises.
“This year’s SoSS report highlights how important it is to keep an eye on the issue of security throughout the entire software life cycle. Above all, considering the risks of third-party and AI-generated code plays an important role,” continues Eng. “Globally, we are still seeing worrying levels of vulnerabilities – and in EMEA they are higher in almost all surveys. Development teams in EMEA should automate software security with regular scans and carefully consider the use of AI tools, both to increase security and reduce the burden on developers.”
More at Veracode.com
About Veracode
Veracode stands for intelligent software security. The Veracode Software Security Platform finds flaws and vulnerabilities at every stage of the modern software development cycle. Thanks to powerful AI trained on trillions of lines of code, Veracode customers fix errors faster and with high accuracy.