Financial services lead when it comes to fixing open source flaws

The financial services industry has the best flaw fix rate across six industries and leads a majority of industries in uncovering flaws within open source components, Veracode reveals.

fixing open source flaws

Fixing open source flaws is critical because the attack surface of applications is much larger than developers expect when open source libraries are included indirectly.

The findings came as a result of an analysis of 130,000 applications from 2,500 companies.

Fixing open source flaws

The research found that financial services organizations have the smallest proportion of applications with flaws and the second-lowest prevalence of severe flaws behind the manufacturing sector.

It also has the highest fix rate among all industries, fixing 75% of flaws. Still, the research found that financial services firms require about six and a half months to resolve half of the flaws they find, indicating it is slower than other industries to remediate.

“Financial services firms have a median time to remediation of more than six months, despite having a high fix rate compared to other sectors,” said Chris Wysopal, CTO at Veracode.

“However, developers in the financial services industry are often limited by the nature of the environments they are working in, as applications tend to be older, have a medium flaw density, and aren’t consistently following DevSecOps practices compared to other industries.

“With some additional training and sticking to best practices, they can quickly remediate issues and start to reduce security debt.”

Financial services specific findings

The research found compelling evidence that certain developer behaviors associated with DevSecOps yield substantial benefits to software security. The findings detail that financial services firms:

  • Are a leading industry when it comes to fixing flaws in their open source software and establishing strong scan cadences.
  • Fall to middle-of-the-road for scanning frequency and integrating security testing, and are not likely to be using dynamic analysis (DAST) scanning technology to uncover vulnerabilities.
  • Outperform averages across all industries in dealing with issues related to cryptography, input validation, Cross-Site Scripting, and credentials management – all things related to protecting users of financial applications.

Don't miss