BURLINGTON, Mass.–(BUSINESS WIRE). The sector overtook financial services as the best-performing industry, showing that healthcare providers have made good progress toward making their software more secure over the past year.
The data was published in the company’s annual State of Software Security (SoSS) report v12, which analyzed 20 million scans from half a million applications in healthcare, finance, technology, manufacturing, retail and government.
Chris Eng, Chief Research Officer at Veracode said: “Healthcare is one of the more regulated sectors and is viewed by government as critical infrastructure, so it’s encouraging to see the sector doing comparatively well in terms of overall remediation. We hope healthcare developers and IT pros see this as a welcome ray of sunshine amid the all too often grim world of software security. There is still a lot to do, so look forward to further improvements in the years to come.”
Despite the top spot for fix rate, 77 percent of applications in the healthcare industry contain vulnerabilities, with 21 percent of applications containing vulnerabilities of high severity. The sector also has plenty of room for improvement in terms of the time spent fixing bugs once they’re discovered, taking up to a whopping 447 days to get halfway fixed.
The cost of health injuries is the most expensive
With healthcare companies causing the highest average cost of security breaches at a new record high of $10.1 million*, it’s imperative to take proactive measures to mitigate the risk of a cyberattack. Because data breaches in highly regulated industries tend to have larger long-term costs incurred in the years to come, the industry would benefit from even broader efforts to address security earlier in the software development lifecycle.
Of the six industries analyzed, healthcare providers rank at the bottom end for the proportion of applications with bugs and the second-to-bottom for the percentage of fatal bugs—defined as those that pose a serious risk to the application and the organization if they were—being exploited . When it comes to the types of errors discovered during dynamic analysis of applications in the industry, healthcare providers perform well on authentication issues and insecure dependencies compared to other industries, but have a higher incidence of cryptographic and deployment configuration issues.
Eng said: “We know that no application will ever be 100 percent free from security vulnerabilities, so it is important that companies take all necessary steps to minimize the risk as much as possible. This includes regular, rapid scanning with multiple test types, integrating testing tools into developer environments, and providing hands-on training to help developers understand the origin of bugs and fix or prevent them entirely. The healthcare sector should also take extra care to prioritize critical failures – those vulnerabilities that could have catastrophic effects if left unresolved for too long.”
Andrew McCall, Vice President of Engineering, Azalea Health Innovations, said, “The biggest obstacle to building security into our workflows is that developers treat security as a checkbox. However, security is an ongoing process and must be a priority throughout the software development lifecycle. We chose Veracode because it was the easiest and best solution to integrate with our existing processes.”
Third-party library security
With a surge in regulations to secure the software supply chain over the past year, the report analyzed third-party libraries to determine how vulnerabilities discovered through software composition analysis (SCA) are performing. Overall, around 30 percent of vulnerable libraries remain unresolved after two years; However, this statistic reduces to 25 percent for the healthcare sector. While the overall proportion of vulnerable libraries found by SCA has steadily decreased over time, the healthcare sector saw a brief uptick before rates dropped dramatically in the last year or so.
The Veracode State of Software Security v12 Health Snapshot can be downloaded here and the full report is available here.
* IBM Security and The Ponemon Institute, “Cost of a Data Breach Report 2022”: https://www.ibm.com/downloads/cas/3R8N1DZJ, July 2022
About the State of Software Security Report
The Veracode State of Software Security (SoSS) v12 analyzed complete historical data from Veracode services and customers. This equates to a total of over half a million applications (592,720) that used all scan types, over a million dynamic analysis scans (1,034,855), over five million static analysis scans (5,137,882), and more than 18 million software composition analysis scans (18,473,203). All of these scans yielded 42 million raw static data, 3.5 million raw dynamic data and 6 million raw SCA data.
The data represents large and small companies, commercial software vendors, software outsourcers, and open source projects. In most analyses, an application was only counted once, even if it was submitted multiple times, as vulnerabilities were fixed and new versions were uploaded.
Veracode is a leading AppSec partner for building secure software, reducing the risk of security breaches, and making security and development teams more productive. As a result, companies using Veracode can move their business and the world forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps organizations get accurate and reliable results so they can focus on remediating potential vulnerabilities, not just finding them. Learn more at www.veracode.com, the Veracode Blog, and more Twitter.
Copyright © 2022 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, trademarks or logos belong to their respective owners. All other trademarks cited herein are the property of their respective owners.