Companies that find themselves with old, vulnerable code in their environment are likely to be short of resources to fix them. Most organizations will find themselves in this situation at some point, whether it’s because they are using open-source programs or outdated ones. But there are ways for companies to get the problem under control, including prioritization, automation, and mitigation.

The problem of old, bad code is ubiquitous in enterprises. Vulnerable code in general is a problem — according to a Veracode report released earlier this year, 74% of scanned applications during the previous year had at least one security flaw, and 19% had a high-severity vulnerability. And the older the application, the more likely it is to have problems, says Veracode’s chief research officer Chris Eng. When new applications are scanned for the first time, 32% of them have security flaws. At the five-year mark, that jumps to 70%. By the time an application is 10 years old, there’s a 90% chance it has at least one security flaw.

One reason for the growth in problems is that new code is added to applications — according to Veracode, applications grow 40%, on average, every year for the first five years. Each new line of code adds potential for mistakes, and more complexity makes it harder to spot and fix problems.

Components are also a big part of the issue. “Most developers, when they download an open-source component and incorporate it into their application, never go back and update it,” Eng tells CSO. To be more exact, 79% of the time, old open-source components are not updated. Over time, new vulnerabilities keep getting discovered even if a new line of code is never added, “the security posture of that application is getting worse and worse and worse,” Eng says.

According to Synopsys’ open-source security and risk analysis released in February, 96% of all commercial code bases contained open-source components — and 89% contained open-source code that was more than four years out of date. The problem is so important to application security that vulnerable third-party libraries are on the OWASP top ten list of web application security risks.

The solution seems simple on the surface: just replace the component with the newest version. That’s easy when the code base is relatively new. “If a patch is released tomorrow, it’s fairly easy to go and do that patch,” Eng says. “But if I linger for years and I get multiple versions behind, then the amount of effort required to get current is tremendous.”