These three programming languages are the leading cause of ‘security debt’

Programming languages including JavaScript pictured on a computer screen.
(Image credit: Getty Images)

Some of the most popular programming languages also rank among the most vulnerable, prompting calls for developers to ramp up efforts to address high-severity flaws.

Most ‘security debt’ – defined in a study by Veracode as high-severity flaws that remain unfixed for longer than a year – exists in first-party code written by in-house developers.

However, according to the report, the most critical security debt is to be found in third-party code – 80% in the case of Java apps, and 63% in JavaScript apps.

The report noted that around half of critical flaws in Java applications turn into security debt, compared with only about 45% of low to medium flaws.

"The combination of mounting security debt, an expanding attack surface made more vulnerable by generative AI, and an overwhelming volume of security alerts makes it challenging for organizations to know which application risks to prioritize," said Chris Eng, chief research officer at Veracode.

"In fact, our State of Software Security research shows that many organizations are more focused on remediating low-severity flaws than critical flaws.

"While focusing on non-critical flaws may result in some quick fixes, developers should use their limited capacity to work on fixing critical flaws with the highest potential impact on security."

Three quarters of organizations that run .NET applications reported significant levels of security debt, followed by Java at 64% of organizations, with JavaScript well behind at 54%.

However, when it comes to security debt associated with critical security flaws, it was organizations using JavaScript that were least likely to experience critical security debt, at 30%. The figures for .NET and Java were 45% and 51% respectively.

Third-party flaws, according to the research, take 50% longer to fix with a half-life of 11 months - the time after which half of flaws are fixed - compared with seven months for flaws in first-party code.

Overall, roughly one-third to one-quarter of all flaws are fixed in the first three months, with the half-life for flaws across all applications about nine months.

Mike McGuire, senior software manager at the Synopsys Software Integrity Group, said it should come as no surprise that most of the vulnerabilities and security debt in modern commercial applications can be attributed back to the most popular and widely used languages.

RELATED WHITEPAPER

"The report highlights the fact that security risk comes in many shapes and sizes and from various sources. The notions that open source is less secure than first-party code, or vice versa, are rightly challenged by this report," he said.

"Enabling developers to run dependency and static analyses as they code can catch issues in third-party and first-party code before they’re merged into an application and before they can linger long enough to be considered security debt."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.