More than half the software commonly used by businesses fails to meet acceptable levels of security, a study of 2,900 applications has revealed.
Fifty-seven per cent failed to meet industry standards when tested by security firm Veracode using its cloud-based binary analysis tool for identifying software vulnerabilities.
Third-party applications have the lowest security quality, according to Veracode's latest state of software security report.
Third-party suppliers failed to achieve acceptable levels of security 81% of the time.
This is cause for concern as third-party applications represent 20% to 37% of critical business software, said Matt Moynahan, chief executive at Veracode.
And between 30% and 70% of internally developed software contains third-party components, he said.
The code analysis found that 80% of web applications exhibited the top 10 application security risks defined by the Open Web Application Security Project (OWASP).
This means most web applications in use by enterprises would fail a payment card industry data security standard (PCI DSS) audit.
Cross-site scripting (XSS) is still one of the biggest online threats, accounting for 51% of vulnerabilities, mainly in .NET applications.
This demonstrates the need for developers to become better educated and equipped to avoid common vulnerabilities, said Moynahan.
Results of the analysis show that greater software industry accountability is critical, he said, but there are signs that business is beginning to understand the need to test the security of applications it uses.
"CIOs are starting to realise that they are spending a good portion of their time trying to reduce internal risks, but most of the risks come from third-party applications beyond their control," said Moynahan.
Veracode reports a 200% increase in the number of applications being submitted by businesses for security testing in the past 18 months.
"Big business is beginning to say they are no longer going to pay for all the security vulnerabilities from software companies unless they get rated and meet a minimum level of security," said Moynahan.