The healthcare industry has the highest patch rate for software security vulnerabilities

However, we note that 77% of health apps have bugs, of which 21% are considered “very serious”

BURLINGTON, Massachusetts, September 22, 2022–(COMMERCIAL WIRE)–truecode, a leading global provider of application security testing solutions, today announced that the healthcare industry ranks first in software security vulnerabilities fixed at 27%. The sector overtakes the financial market as the best performing industry, illustrating the progress healthcare providers have made in protecting their software over the past year.

The results were published in the company’s annual report, State of Software Security (SoSS) v12 reportwhich studied 20 million scans in half a million applications in health, finance, technology, manufacturing, retail and government.

Chris Eng, Director of Research at Veracode, said: Healthcare is one of the most highly regulated industries and is critical infrastructure in the eyes of authorities. It is encouraging to see that this sector is doing well in terms of fixing vulnerabilities. We hope developers and IT staff in this industry will appreciate this result, which is a ray of sunshine in the all-too-dark field of software security. Certainly, there is still work to be done, but we look forward to further improvements in the years to come.”

While the healthcare sector leads in terms of patch rate, 77% of its applications contain vulnerabilities, of which 21% are particularly serious. The industry also shows a lot of room for improvement in terms of the time it takes to fix vulnerabilities after they are discovered, with a 447-day timeframe for halfway fix.

The costs of breaches in the health sector are the highest

Healthcare companies bear the highest average data breach costs, reaching a new high of $10.1 million*. Therefore, it is essential to react proactively to minimize the risk of cyber attack. As data breaches in highly regulated industries tend to be associated with higher long-term costs and accumulate in subsequent years, the industry would benefit from greater efforts to ensure security earlier in the development lifecycle. of software.

Of the six industries analyzed, healthcare providers rank last in the proportion of applications with vulnerabilities and second to last in the proportion of high severity vulnerabilities—that is, they say which ones pose a serious risk to the application and the organization if they will be exploited. When it comes to the types of flaws revealed by dynamic analysis of industry applications, healthcare providers do well compared to other industries for authentication issues and insecure dependencies, but nonetheless have a higher occurrence of cryptography and deployment configuration issues.

Mr. Eng also said: “We recognize that no application will ever be completely secure, so it is important that companies take all necessary steps to minimize risk as much as possible. These steps include regular and rapid scanning across multiple types of testing, integrating testing tools into development environments, and hands-on training for developers to help them understand where vulnerabilities originate and how to fix or avoid them altogether. The healthcare industry must also pay special attention to critical flaws, that is, That is, vulnerabilities that could become catastrophic if not patched soon.”

Andrew McCall, Vice President of Engineering at Azalea Health Innovations, said, “The biggest barrier to integrating security into our workflows is that developers see security only as a checkbox. But security is an ongoing process that needs to be considered.” a priority throughout the software development lifecycle. We chose Veracode for its ease of integration into our existing processes.”

Security of third-party resources

Given the proliferation of regulations aimed at securing the software supply chain over the past year, the report reviewed third-party resources to identify the nature of vulnerabilities revealed by software composition analysis (SCA). Overall, nearly 30% of vulnerable resources remain unresolved after two years. However, this statistic drops to 25% in the health sector. In fact, while the overall rate of vulnerable resources discovered by software composition analysis tends to decline steadily over time, the healthcare industry saw a brief spike before dramatically lowering the rate over the past year.

You can download an overview of the Veracode State of Software Security v12 status report here and see the full report here.

* IBM Security and The Ponemon Institute, “Cost of a Data Breach Report 2022”: 2022.

About the Software Security Status Report

The report Veracode State of Software Security (SoSS) v12 analyzed complete historical data of Veracode’s services and clients. This set represents a total of more than half a million applications (592,720) using all types of analysis, more than one million dynamic analyzes (1,034,855), more than five million static analyzes (5,137,882) and more than 18 million software composition analysis (18,473,203). All of these scans produced 42 million raw static results, 3.5 million raw dynamic results, and six million raw SCA results.

This data represents companies large and small, commercial software vendors, software contractors, and open source software projects. In most analyses, the same app was counted only once, although it was submitted multiple times as vulnerabilities were fixed and new versions appeared online.

About Veracode

Veracode is an AppSec Partner of Choice to build secure software, reduce the risk of security breaches, and increase the productivity of development and security teams. So companies using Veracode can move their business and the world forward. By combining process automation, integrations, speed, and responsiveness, Veracode provides organizations with accurate and reliable results that allow them to focus their efforts on patching, not just finding, potential vulnerabilities. Learn more at www.veracode.comon veracode’s blog and about Twitter.

Copyright © 2022 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in other jurisdictions. All other product names, brands and logos are the property of their respective owners. All other trademarks mentioned in this press release are the property of their respective owners.

The text of the press release resulting from a translation should not be considered official in any way. The only authentic version of the press release is the press release in its original language. The translation will always have to be compared with the original text, which will set a precedent.

See the source version on


Katy Gwilliam

Leave a Comment

Your email address will not be published. Required fields are marked *