Audit finds application security issues are worse than ever

Mounting vulnerabilities, outdated code and emerging AI threats in application security

Takeaways

• Application vulnerabilities have surged 107% in the past year, driven by mounting security issues and outdated code.
• Open-source components now appear in 98% of audited applications, with 86% containing open-source vulnerabilities and 81% classified as high or critical risk.
• 90% of codebases have open-source components more than four years out-of-date, increasing the likelihood that patches are not applied.
• Only 77% of dependencies are identified through package manager scanning, leaving gaps due to manual updates or AI coding assistants.
• The average application now includes over 5,300 open-source files, marking a 300% increase since 2020.
• Cyberattacks targeting software supply chains are on the rise, using tactics such as social engineering, typosquatting and prompt injection attacks on AI coding tools.
• AI coding tools are reducing some vulnerabilities, especially SQL injection, and increasing awareness about open-source security issues.

An audit of 947 commercial codebases spanning 17 industries finds the number of vulnerabilities inside applications has surged a startling 107% over the past year.

Conducted by Black Duck Software, the audit also finds there are now, on average, 581 vulnerabilities per codebase.

Alas, many of these vulnerabilities can be traced back to open-source software components that create dependencies in code bases that are challenging to fix because the code is managed by an independent maintainer that might not yet have created a patch to address the issue. In fact, the audit finds open-source components now appear in 98% of audited applications. A full 86% of commercial codebases evaluated contained open-source software vulnerabilities, with 81% having high- or critical-risk vulnerabilities.

Worse yet, 90% of audited codebases were found to have open-source components more than four years out-of-date, which means that even when there is a patch available to remediate a vulnerability it probably has not been applied.

Finally, the audit also notes that only 77% of dependencies could be identified via package manager scanning, suggesting that the remainder were introduced to applications by other means such as manual updates or by an artificial coding assistant.

In total, the number of open-source components per application climbed 300% since 2020, with the average application now having more than 5,300 of these files.

Evolving software supply chain threats

Unfortunately, cyberattacks aimed specifically at software supply chains are increasing. Cybercriminals are employing social engineering tactics to inject malicious code into software packages or employing typosquatting techniques that trick developers into downloading code loaded with malware. More recently, prompt injection attacks are now being aimed at AI coding tools to instruct them to add malware to code.

Their hope is that malware will find its way into a downstream application where it might later be activated. With the pace at which applications are now being built and deployed in the age of AI, the amount of malware that might potentially be incorporated into an application is starting to exponentially increase. After all, the amount of time and effort needed to create malware has never been lower.

On the plus side, however, as AI coding tools take advantage of more advanced AI models, some vulnerabilities are becoming much less common. Most notably, AI coding tools very rarely generated a SQL injection vulnerability. Also, more attention is also starting to be paid to vulnerabilities in open-source code.

A coalition of major tech companies has committed $12.5 million to strengthen the security of open-source software. Anthropic, Amazon Web Services (AWS), GitHub, Google, Microsoft and OpenAI on this intiative, which will be overseen by the Alpha-Omega Project under the guidance of the Open Source Security Foundation (OpenSSF).

Of course, $12.5 million is a drop in an ocean of funding that might be required to address the issue. As such, cybersecurity teams should assume in the months and years ahead they will more than ever have their work cut out for them