Companies that find themselves with old, vulnerable code in their environment are likely to be short of resources to fix them. Most organizations will find themselves in this situation at some point, whether it’s because they are using open-source programs or outdated ones. But there are ways for companies to get the problem under control, including prioritization, automation, and mitigation.
The problem of old, bad code is ubiquitous in enterprises. Vulnerable code in general is a problem — according to a Veracode report released earlier this year, 74% of scanned applications during the previous year had at least one security flaw, and 19% had a high-severity vulnerability. And the older the application, the more likely it is to have problems, says Veracode’s chief research officer Chris Eng. When new applications are scanned for the first time, 32% of them have security flaws. At the five-year mark, that jumps to 70%. By the time an application is 10 years old, there’s a 90% chance it has at least one security flaw.
One reason for the growth in problems is that new code is added to applications — according to Veracode, applications grow 40%, on average, every year for the first five years. Each new line of code adds potential for mistakes, and more complexity makes it harder to spot and fix problems.
