Nearly nine in 10 web applications written in a popular coding language use out of date open-source components that are now known to have security vulnerabilities, according to the software analysis firm Veracode.
Veracode released its "State of Software Security 2017" on Wednesday, with data compiled from real-world scans of its customers. They found that 88 percent of Java applications have vulnerabilities from out of date components.
Programmers often use prewritten, third party coding libraries to bolster their own work. But as security flaws get patched in the libraries, those updates are often overlooked when maintaining apps.
For example, more than half of apps use out of date versions of the Apache Commons Collections library that still contain a flaw that downed the San Francisco Municipal Transportation System the day after Thanksgiving last year.
The Veracode report notes that 77 percent of all previously untested software, on or offline and in any programming language, contained vulnerabilities.
The leading problems they found were information leaks (where a third party can access information from the program without permission), cryptographic issues and general sloppiness in programming, like leaving testing code in the final product.