SOSS Volume 9 reveals how DevSecOps can overcome the volume and persistence of software flaws

Fall is a favorite season for many – in New England, we have beautiful colors and a chill in the air.  At Veracode, fall is our favorite season because it signifies the release of our annual State of Software Security (SOSS) report. Each year, we welcome the opportunity to share with the industry our insights into common vulnerabilities found in software and how organizations are measuring up to security industry benchmarks throughout the software development lifecycle.

Today, we are releasing SOSS Volume 9 – and I’m proud to say it’s one of the most impactful and rich reports we’ve done to date. Our report goes beyond how organizations’ application security (appsec) programs are performing. This year, we analyzed the data to understand the time it takes for these organizations to actually fix flaws once they’ve been identified in application security scans.

(Hint: it takes time to fix vulnerabilities)

Our ninth iteration of SOSS comes at a time when it feels as if the application security market, once a small slice of the security landscape, is finally growing up. Forrester Research recently forecasted “spending on appsec solutions will grow to $7.1 billion by 2023, up from $2.8 billion in 2017, implying a 16.4 percent compound annual growth rate.” Meanwhile, the 2018 Verizon Data Breach Investigations Report found web application was the top data breach type, leading to increased demand for application security tools.

Perhaps most astounding – while every business out there uses software, those figures may only account for half the total addressable market. In other words, a very large number of businesses are not testing their software security at all.

That’s why one of my biggest takeaways from this year is that while progress is being made, overall, there is a lot of work to do! That’s good news, however, because it means whether they started their appsec program or not, organizations can reduce their risk by creating and using more secure code. 

Here’s a quick look at some of the other major findings from this year’s State of Software Security report:

DevSecOps is proving its worth: one of the most revealing findings of SOSS Volume 9 is that organizations with a DevSecOps model, which tends to incorporate more frequent security scans, incremental fixes, and faster rates of flaw closures into the SDLC, are lowering overall risk. This year’s analysis shows a very strong correlation between high rates of security scanning and lower long-term application risks, which we believe presents a significant piece of evidence for the efficacy of DevSecOps.

Volume of flaws is still extremely high, but customers are getting better at closing them: more than 85 percent of all applications have at least one vulnerability in them, and more than 13 percent have at least one critical severity flaw. Still, we found our customers closed almost 70 percent of vulnerabilities they found, which represents an improvement of 12 percentage points over last year’s report.

Flaws are persistent: pulling the curtain back on the length of time it takes for flaws to be corrected after their initial discovery is ugly, but necessary.

• More than 70 percent of all flaws remained one month after discovery and nearly 55 percent  remained three months after discovery
• 25 percent of high and very high severity flaws were not addressed within 290 days of discovery
• Overall, 25 percent of flaws were fixed within 21 days, while the final 25 percent remained open, well after a year of discovery

Most prevalent common flaws remain the same: breaking down the prevalence of flaws by vulnerability categories shows that all of the usual suspects are present at roughly the same rate as in previous years. In fact, our top 10 most prevalent flaw types have hardly budged in the past year. That means that organizations across the board have made very little headway to create awareness within their development organizations about serious vulnerabilities, like cryptographic flaws, SQL injection, and cross-site scripting. This is most likely a result of organizations struggling to embed security best practices into their SDLC, regardless of where the standards are from.

There is so much more to uncover in this year’s report, including insights by industry sector and by geographic region, that can help organizations understand how appsec factors heavily into the security risks and threats they face.

We’d love to hear your feedback once you’ve had a chance to take a look!