Two Thirds of EMEA Organizations Grapple with Security Debt and Nearly Half Have Debt Considered “Critical”80% of Third-party Code Has Critical Security Debt—Significantly Higher Than the Global Average
Veracode, a global leader in application risk management, today unveiled the EMEA snapshot of its annual State of Software Security (SoSS) 2024 report, revealing worrying levels of security debt in organizations across Europe, the Middle East and Africa.
Veracode’s research found 68 percent of EMEA organizations harbor some level of security debt, while 46 percent have high-severity persistent flaws in code, classified as ‘critical’ security debt. These high-severity flaws represent the greatest risk to applications and are a ticking time bomb with the potential for catastrophic breaches.
In a world where every interaction with an application can be a potential entry point for cyber attackers, understanding and managing security debt is more crucial than ever. Security debt, defined for this report as software flaws that remain unfixed for longer than a year, can build up when developers lack time or resources to address potentially dangerous flaws. Over time, these flaws accumulate, making organizations increasingly vulnerable to attackers.
Chris Eng, Chief Research Officer at Veracode, said, “The findings of this year’s EMEA SoSS report are a wake-up call for organizations in the region. Businesses should have a laser focus on remediating critical security debt first, given these flaws present the highest risk.”
Developers tasked with triaging and fixing flaws manually often fall short in tackling growing security debt, with slow remediation timelines and prioritization to blame. Analysis of remediation timelines in EMEA found it takes organizations using manual methods an average of 19 months to remediate flaws in third-party code, compared to nine months for first-party code. With such a vast number of flaws to address, organizations must prioritize which vulnerabilities to fix first, especially critical flaws.
When it comes to sources of security debt, the report found 84 percent of security debt overall comes from first-party code developed in-house. Meanwhile, 80 percent of critical security debt stems from third-party code, which often flies under the radar but can be just as dangerous for EMEA organizations. Crucially, the critical security debt statistic is considerably higher than the global rate of 65 percent.
Leveraging AI for Vulnerability Remediation
While AI code generators are increasingly used by developers to create software because of the speed and efficiency they bring, they don’t always produce secure code. Indeed, recent research found 36 percent of code generated by the AI-powered GitHub CoPilot tool contained security flaws.
AI can also be used to burn down security debt, supporting developers and security teams by dramatically reducing the time to fix vulnerabilities. Eng said, “AI-powered remediation tools can save teams a significant amount of time by automating fix recommendations and tackling flaws at scale. For example, our AI-powered remediation solution, Veracode Fix, has slashed fix times for common vulnerabilities from days to minutes, significantly enhancing developer productivity.”
Mitigating Security Debt in a Complex Environment
With three fifths (60 percent) of all flaws in EMEA organizations considered neither security debt nor critical severity, it becomes easier and more manageable for developers to focus on fixing the four percent that constitutes the highest risk. Once addressed, organizations can then go on to tackle non-critical security debt or more recent critical flaws, based on their risk tolerance and capabilities.
For those seeking prioritization guidance on security debt, Application Security Posture Management (ASPM) tools can continuously track risk through the collection, analysis and prioritization of security issues across the software development cycle.
ASPM tools have become more popular as they offer a comprehensive, unified view of risk across application stacks, and facilitate the remediation of issues. Longbow, powered by Veracode, delivers ASPM to get to the root cause of the issue through contextual analysis and suggests the best next actions to reduce the most risk with the least amount of effort.
Eng closed, “The prevalence of security debt among EMEA organizations highlights the need for immediate action to protect businesses against future breaches. Security leaders and developers should focus on patching the most critical flaws that introduce the most risk given their context. AI-powered security solutions that scale remediation efforts will enable teams to tackle their growing security debt more efficiently and reduce the amount of time vulnerabilities can be exploited.”