Application security continues to deteriorate, but developers are not the only ones to blame, according to a new report from Veracode cybersecurity firm.
The failure by organizations to provide adequate security awareness training and by teams to address vulnerabilities in the production environment affect the safety of applications, Veracode said.
Veracode's State of Software Security 2017 report is based on a code-level analysis of nearly 250 billion lines of code across 400,000 vulnerability assessments conducted for 1,400 customers between April 2016 and March 2017.
According to the analysis, more than 75% of the applications having one or more security vulnerabilities in code written by the development team, on the initial scan.
About 12% had either a very-high-severity or a high-severity flaw on the first scan.
9 of 10 Java applications have at least one serious vulnerability at the component level.
The analysis has found apps that have at least one serious component-level vulnerability.
The most common problems are information leakage vulnerabilities and are present in more than 65% of the applications in which a security bug was found on initial scan.
About 62% have cryptographic vulnerabilities, and 56% have code quality issues.
The most common vulnerabilities in the initial scan this year coincide with those found last year, and that means organizations fail to address or ignore the problems.
According to Veracode, developers are not the only ones to blame for the ongoing struggles with applications that many organizations appear to be having.
"It’s time to put the lazy developer trope to bed," the company said in its report.
"It may be easy for cybersecurity pros to blame AppSec woes on indifferent, uncaring, or slothful coders. But the reality is very different," Veracode said.