Huge amounts of apps are developing security flaws in their first year

Android developer at work
(Image credit: Christina Morillo/Pexels)

In their first year of existence, a third of apps (32%) carry security flaws, and by the age of five, this number grows to more than two-thirds (70%), new research has found. 

A new report from Veracode found businesses need to scan for flaws early, often, and in various ways, in order to minimize the chances of severe issues down the road.

The company analyzed more than three-quarters of a million applications across commercial software suppliers, software outsourcers, and open-source projects,  finding that after the initial introduction of flaws, the apps usually enter a “honeymoon period” of stability - almost 80% don’t introduce any new flaws for the first year and a half. 

Costly mistakes

After that, some devs start getting sloppy again, with the number of new flaws being introduced to the code climbing to roughly 35% after five years.

Ignoring to address security flaws early could result in huge costs down the road, Veracode says, citing recent reports that claim an average data breach now costs $4.35 million. 

Instead, developers should do a number of things to reduce the probability of flaw introduction, including developer training, and the use of multiple scan types - scanning via API included. 

The frequency of scans is also an important factor, the company added. Furthermore, they should tackle technical and security debt as early and as quickly as possible, prioritize automation and developer security training, and establish an application lifecycle management protocol that incorporates change management, resource allocation, and organizational controls. 

“Using a software composition analysis (SCA) solution that leverages multiple sources for flaws, beyond the National Vulnerability Database, will give advance warning to teams once a vulnerability is disclosed and enable them to implement safeguards more quickly, hopefully before exploitation begins,” said Chris Eng, Chief Research Officer at Veracode.

“Setting organizational policies around vulnerability detection and management is also recommended, as well as considering ways to reduce third-party dependencies.” 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Holographic representation of cloud computing over open businessman's hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
API
Businesses are being plagued by API security risks - with nearly 99% affected
Cyber-security
Empowering developers with cutting-edge security training
Hacker Typing
Racing against time on a menacing caldera: survey finds majority of organizations take days to tackle critical vulnerabilities, each of them a potential open goal for cybercriminals
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
App stores are increasingly becoming a major security worry
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection