Java Developers Aren’t Applying Security Patches, Report Finds

Application security vendor Veracode has released the "2017 State of Software Security Report," and the results paint an unflattering picture of Java developers. An alarming 88 percent of Java applications contain at least one vulnerable component, the report's authors found. Why? Developers don't patch components in production once vulnerabilities are found and new versions of those components are released.

Veracode, which was acquired by CA Technologies in April, based its report on scans of thousands of applications and billions of lines of code, the company said.

"Three in every four applications had at least one vulnerability on initial scan, and 12 percent of applications had a high or very high severity vulnerability on initial scan," CA Veracode CTO Chris Wysopal wrote in the report's introduction. "Less than a third of applications passed OWASP policy on the initial scan. And as the security skills gap grows, we're seeing the same coding errors cropping up at similar rates, year after year. These discouraging statistics actually represent an optimistic view, because so many applications are not being assessed for security at all. If that weren't concerning enough, the stakes continue to rise."

Although this year's report noted "quite a bit of turnover" among the listed Java app vulnerability with high severity vulnerabilities (greater than a CVSS score of 6) from last year's report, the authors attributed that turnover largely to component feature upgrades and newly discovered vulnerabilities that "shook up the numbers" -- not improved patching practices.

The Common Vulnerability Scoring System (CVSS) provides an open and standardized rating of the security vulnerabilities.

The Struts 2 library was among the most vulnerable components listed in the report. According to the report, 68 percent of Java apps using the library were using a version vulnerable to Struts-Shock in the weeks following the initial attacks.

One conclusion the report draws from Struts-Shock: vulnerabilities in open source components are highly likely to be exploited.

"That's because attackers know that a single vulnerability can be found in a wide range of applications, and organizations frequently aren't aware that they are vulnerable," the report states. "Open source and third-party components aren't necessarily less secure than code you develop in-house, but keeping an up-to-date inventory of what versions of a component you are using, and where, can be tricky…. Using software composition analysis at the same time as you conduct static application scanning greatly reduces your risk by identifying components with a known vulnerability."

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].