Software vulnerabilities are on the decline, according to new research from Synopsys.
Analysis from the company’s security testing service shows that from 2020 to 2022 there has been a significant decrease in software vulnerabilities.
Overall, 97% of tests on target applications identified serious vulnerabilities in 2020, according to Synopys. However, this fell to 95% in 2021 and fell again to 83% in 2022.
The software company sees this as reason for optimism about organizations’ ability to produce error-free code with improved DevSecOps procedures.
This improvement may be due to the wider adoption of practices such as automated testing and code reviews, which have proven effective in reducing exploit opportunities for hackers.
Synopsys’ tests replicate attack vectors used by threat actors today, which include penetration testing, dynamic security testing (DAST), mobile application security testing (MAST), and network security testing.
Overall, 92% of tests in the three-year period from 2020 to 2022 found some type of vulnerability, yet only 27% were considered high severity and only 6.2% contained critical vulnerabilities.
Severity levels indicate the risk a vulnerability poses to network security as assessed CVSS v3 scale.
Jason Schmitt, general manager of Synopsys’ Software Integrity Group, said this decline is an encouraging sign that companies are adopting more robust measures to address an increasingly sophisticated threat landscape.
“For the first time in years, we are seeing a decrease in the number of known vulnerabilities in software, giving new hope that organizations are taking security seriously and prioritizing a strategic and holistic approach to software security to make a lasting impact.”.
Third-party software still poses an increased risk
Despite evidence showing that certain procedures pay off, the report identifies areas that still pose an increased risk to organisations.
In 2022, one in four tests found vulnerable third-party libraries to be a particular risk to application security.
While useful for developers trying to build software more efficiently, Synopsys’ report notes that security risks associated with open source have been on the rise.
Synopsys’ 2023 report on open source security disclosed high-risk vulnerabilities in open source code have increased by 557% in retail and e-commerce alone. This is compounded by a worrying lack of security patching, with 91% of audited codebases containing outdated open source components.
Leaked information has also been a leading security risk throughout this period. On average, 19% of the total vulnerabilities were directly related to information leakage issues.
Finally, the findings suggest that cross-site scripting (XSS) also appears to be on the rise, with 19% of all vulnerabilities disclosed in 2022 being susceptible to cross-site scripting.
Andy Schneider, field CISO at Lacework, cautioned that the year-over-year decline in vulnerabilities observed during this period may not be an accurate reflection of organizations’ long-term security posture.
“From a short-term perspective, there can be ups and downs in the amount of vulnerabilities,” he said IT Pro.
“However, just as having a hot or cold summer does not say anything about climate change, this does not necessarily represent the whole picture. More and more organizations are transforming their business to a digital model, which usually involves new lines of code and potentially new vulnerabilities.”
Michael Man, DevSecOps Evangelist at software security firm Veracode, said their own research also revealed a “general downward trend in the number of bugs introduced over the years”.
“It’s safe to say the teams are getting better,” he said.
“What leaves room for improvement is how thoroughly and quickly teams remediate, but strangely this varies from language to language.”
It added that a worrying trend observed by Veracode is that some organizations tend to become more lax over time as applications age and expand in scope.
“Attention to writing secure code tends to fade for some reason, and as applications age and grow in size, a higher proportion of them introduce new bugs than in the first 2 years. Bugs tend to accumulate year after year until 70% carry defects.
“So while we’re getting better at introducing new bugs over the years, attention to detail during the application lifecycle would be an area where teams could make some significant improvements.”