New report reveals EMEA firms struggle with critical security debt

New research from Veracode has revealed that over two-thirds (68%) of organisations across Europe, the Middle East, and Africa (EMEA) have software vulnerabilities in their applications that have remained unaddressed for more than a year, a situation referred to as 'security debt'. The findings come from the latest EMEA State of Software Security (SoSS) 2024 report.

The report indicates that 46% of these organisations are grappling with high-severity flaws classified as "critical", posing considerable risks if left unresolved. Such flaws are often termed a "ticking time bomb" with the potential for severe breaches.

Chris Eng, Chief Research Officer at Veracode, commented, "The findings of this year's EMEA SoSS report are a wake-up call for organisations in the region. Businesses should have a laser focus on remediating critical security debt first, given these flaws present the highest risk."

One of the alarming aspects highlighted in the report is the average time taken to address flaws. Organisations using manual methods take approximately 19 months to remediate vulnerabilities in third-party code, as opposed to nine months for first-party code. With the substantial number of flaws to manage, prioritising which vulnerabilities need immediate attention becomes crucial.

The report also identifies that a significant portion of security debt originates from both in-house and third-party codes. While 84% of overall security debt stems from first-party code developed internally, 80% of critical security debt comes from third-party code. Notably, this statistic for critical security debt is substantially higher than the global average of 65%.

Eng pointed out the potential role of artificial intelligence in combating these vulnerabilities. "AI-powered remediation tools can save teams a significant amount of time by automating fix recommendations and tackling flaws at scale," he said. For instance, Veracode's AI-powered remediation solution, Veracode Fix, has reportedly reduced fix times for common vulnerabilities from days to minutes.

Furthermore, Application Security Posture Management (ASPM) tools have become increasingly popular for their ability to provide a comprehensive view of risk across application stacks and facilitate the remediation process. These tools track security issues continuously through the software development lifecycle, offering a systematic approach to managing and prioritising security debt.

Longbow, an ASPM tool powered by Veracode, helps organisations zero in on the root causes of vulnerabilities through contextual analysis and recommends the best actions to mitigate the most significant risks with the least effort.

The report underscores that while the majority of flaws in EMEA organisations (60%) are neither security debt nor critical, focusing on the 4% of flaws that constitute the highest risk can make the remediation process more manageable. Addressing these high-risk vulnerabilities first can lay the groundwork for tackling non-critical security debt or newer critical flaws, aligned with an organisation's risk tolerance and capabilities.

"The prevalence of security debt among EMEA organisations highlights the need for immediate action to protect businesses against future breaches. Security leaders and developers should focus on patching the most critical flaws that introduce the most risk given their context," Eng concluded. He also emphasised that AI-powered security solutions could enable teams to address their growing security debt more efficiently and curtail the window of exploitation.