Veracode has released the EMEA snapshot of its annual State of Software Security (SoSS) 2024 report, revealing concerning levels of security debt across Europe, the Middle East, and Africa (EMEA). According to the report, 68% of organizations in the region have accumulated some form of security debt, with 46% harboring high-severity flaws classified as ‘critical’ security debt. These flaws pose the greatest risk to applications, potentially leading to significant breaches if left unaddressed.
Security debt refers to unresolved software flaws that have remained unpatched for more than a year, often due to a lack of time or resources. As these flaws accumulate, they leave organizations increasingly vulnerable to cyberattacks. In today’s digital landscape, where every interaction with an application could be an entry point for attackers, managing and mitigating security debt is critical.
Chris Eng, Chief Research Officer at Veracode, emphasized the urgency of addressing security debt, particularly high-risk flaws. He noted, “Businesses should have a laser focus on remediating critical security debt first, given these flaws present the highest risk.”
The report highlights the difficulty organizations face in managing security debt, particularly with manual remediation methods. On average, it takes EMEA organizations 19 months to fix flaws in third-party code, while it takes nine months for first-party code. Notably, 84% of security debt comes from first-party code, but critical security debt predominantly stems from third-party code—80% in EMEA, significantly higher than the global rate of 65%.
AI-powered tools offer a potential solution to reduce security debt by automating the remediation process. While AI code generators such as GitHub CoPilot can speed up development, they don’t always produce secure code, with 36% of AI-generated code containing security flaws. Veracode’s AI-powered remediation tool, Veracode Fix, has proven effective in reducing fix times for common vulnerabilities from days to minutes, improving productivity and speeding up security efforts.
Veracode also suggests organizations leverage Application Security Posture Management (ASPM) tools to track, prioritize, and manage risk. Veracode’s Longbow, an ASPM solution, uses contextual analysis to help organizations prioritize and tackle the most critical vulnerabilities with the least effort.
In conclusion, Eng reiterated the importance of addressing critical flaws to mitigate security risks, urging organizations to adopt AI-powered remediation solutions to manage security debt more efficiently and reduce vulnerability exposure.
The full State of Software Security 2024 report, along with the EMEA snapshot, is available for download on Veracode’s website.
Discussion about this post