Veracode, a security firm, released its annual State of Software Security report that shockingly reveals more software vulnerabilities are being created than fixed. The report is based on the analysis of 1.6 million applications that were tested on the cloud platform of the company and shows that the gap in cybersecurity is widening globally.
The report describes “security debt” as known vulnerabilities that have not been fixed for over a year. This number now impacts 82% of companies, compared to 74% the previous year. High-risk vulnerabilities, which are vulnerabilities that are serious and likely to be exploited, have risen from 8.3% to 11.3%.
The applications were tested using static testing, dynamic testing, software composition analysis, and manual penetration testing. Although better tools may be finding more bugs than in the past, it appears that there is a problem.
The speed at which AI-based software development is growing is making it difficult to remediate cybersecurity. New code is being released at a pace that is out of sync with the remediation of existing vulnerabilities. The use of AI-based code development also introduces technical complexity, which is harder to remediate.
On the other hand, AI-based tools can also be used to detect vulnerabilities and remediate them automatically. However, they can also introduce the possibility of false positives or be used for prompt injection attacks.
Although the number of vulnerabilities in open-source software has slightly decreased, the overall remediation deficit is still increasing. The report states that it is no longer sufficient to make incremental progress.