More security holes in European software

More security vulnerabilities in EMEA software

Share post

Around 80 percent of applications developed in EMEA countries had at least one vulnerability. This is the result of the study “State of Software Security (SoSS) Report EMEA” by Veracode.

EMEA also has the highest percentage of high-severity vulnerabilities among all regions. This means that if a vulnerability is exploited, a critical problem could arise in the respective application. Because a high number of errors and vulnerabilities in software code correlates with an increased security risk. So it's no surprise that cyberattacks on the software supply chain will dominate the headlines in 2023.

The market researchers found that just over 80 percent of applications developed by EMEA organizations had at least one security vulnerability when last audited within 12 months. In the United States, this was the case for 73 percent of organizations. Additionally, the percentage of applications containing high-severity vulnerabilities was nearly 20 percent in EMEA, the highest of any region worldwide.

750.000 applications analyzed

“Our data shows that organizations worldwide are deploying a high number of applications with many of the top 25 Common Weakness Enumeration (CWE) vulnerabilities,” said Chris Eng, chief research officer at Veracode. “However, we found interesting regional differences, particularly around the use of third-party or open source code and the way vulnerabilities are introduced throughout an application's lifecycle,” Eng continued.

Analysis of data from more than 27 million scans of 750.000 applications forms the basis of Veracode's State of Software Security (SoSS) report on the status of software security. The latest report shows EMEA-specific results for 2023 for the UK, Germany, France, Italy and the Middle East and Africa.

But numbers alone do not show what consequences the exploitation of software vulnerabilities by hackers can have. As organizations across EMEA use an increasingly complex mix of third-party software, the exploitation of a serious vulnerability can affect thousands of victims simultaneously. Earlier this year, a vulnerability in the printing software tools PaperCut MF and PaperCut NG was actively exploited by hackers. Up to 70.000 organizations in 200 countries became potential victims. According to law enforcement officials, threat actors were able to use it to compromise educational institutions.

Java and third-party code pose significant security vulnerabilities

The study found notable regional differences in preferred programming languages. Java emerged as the preferred language for developers in EMEA. The study also showed that teams using Java fix vulnerabilities more slowly than developers using .NET or JavaScript. This means that many vulnerabilities persist or remain undetected for significantly longer, as Java applications consist of more than 95 percent third-party or open source code. This makes Java usage a key factor in the higher percentage of vulnerabilities in applications in the EMEA region. That's why Software Composition Analysis (SCA), which detects vulnerabilities in open source code, is so important. The study also shows that the proportion of SCA reported vulnerabilities in EMEA is higher than in other regions.

As generative AI becomes more important in software development, the risk of vulnerabilities from external sources increases. A study presented at Black Hat in 2022 showed vulnerabilities in 40 percent of code written by generative AI trained on massive, unprocessed data sets, including millions of public GitHub repositories. Therefore, it is critical that organizations use SCA tools to find and remediate vulnerabilities. This allows developers to benefit from the advantages of AI without jeopardizing the security of the applications.

Applications become more vulnerable over time

New code vulnerabilities occur at a much higher rate across the application lifecycle in EMEA than in other regions. Although companies in the EMEA region keep their applications up to date, there is less attention to quality. After a period of five years, 50 percent of applications in the EMEA region still have new errors. In comparison, this is only the case in around 30 percent worldwide. Overall, the probability of a vulnerability occurring in a given month is 27 percent.

It would therefore be beneficial for companies in the EMEA region to pay more attention to the latter part of the application lifecycle and scan applications more regularly. They should also prioritize security training for developers. The study shows that the probability that a vulnerability will occur falls from 10 percent to around 27 percent by participating in 25 interactive security exercises.

“This year’s SoSS report highlights how important it is to keep an eye on the issue of security throughout the entire software life cycle. Above all, considering the risks of third-party and AI-generated code plays an important role,” continues Eng. “Globally, we are still seeing worrying levels of vulnerabilities – and in EMEA they are higher in almost all surveys. Development teams in EMEA should automate software security with regular scans and carefully consider the use of AI tools, both to increase security and reduce the burden on developers.”

More at


About Veracode

Veracode stands for intelligent software security. The Veracode Software Security Platform finds flaws and vulnerabilities at every stage of the modern software development cycle. Thanks to powerful AI trained on trillions of lines of code, Veracode customers fix errors faster and with high accuracy.

Matching articles on the topic

Data protection: trends in 2024

What challenges could companies face in the area of ​​data protection this year? And how can you relate to that? ➡ Read more

These threats have shaped 2023

In 2023, botnets returned from the dead, ransomware actors found creative ways to make money from theft, and threat actors ➡ Read more

FBI, Europol, NCA: APT group LockBit smashed!

According to the authorities, Europol, the FBI and the British NCA have dismantled the APT group LockBit. At least she has ➡ Read more

Phishing, vishing and quishing

In the early days, phishing attacks were often very simple and used legitimate sources of written communication such as email to gain access ➡ Read more

Pawn Storm under the microscope

Pawn Storm (also APT28 or Forest Blizzard) is a group of APT actors who distinguish themselves through persistent repetition in their tactics, ➡ Read more

Pig Butchering: Lucrative business model for cyber gangs

Sophos has revealed how Sha Zhu Pan scammers are now using a business model for their so-called pig-butchering scams that are supposedly aimed at romance ➡ Read more

Fines for violating the GDPR

The General Data Protection Regulation (GDPR) came into force in November 2018 to standardize the rules for processing personal data across the EU. ➡ Read more

Cyber ​​attacks are the main reason for business failures

A leading provider of data protection and ransomware recovery solutions by market share, releases the results of its fifth annual report. ➡ Read more