Study found less than 25 percent of developers test components for vulnerabilities at every release.
CA Veracode have released new data that shines a light on the discrepancy between component security and hygiene. According to the research conducted with Vanson Bourne, only 52 percent of developers using commercial or open source components in their applications update those components when a new security vulnerability is announced. This highlights organisations' lack of security awareness and puts organisations at risk of a breach.
Software development processes like DevSecOps have helped improve the security of the code developers write. However, these same development processes value speed and efficiency to keep up with the demands of the application economy. As a result, developers rely on components that borrow features and functionality from existing projects and libraries. The research shows that 83 percent of respondents use either or both commercial and open source components, with an average of 73 components being used per application.
While components boost developers' efficiency, and their use is considered a best practice, these components come with inherent security risks. Despite finding an average of 71 vulnerabilities per application introduced through the use of third-party components, only 23 percent of respondents reported testing for vulnerabilities in components at every release. This may be a result of only 71 percent of organisations reporting to having a formal application security (AppSec) program in place.
What's more, only 53 percent of organisations keep an inventory of all components in their...