/nov 16, 2020

Financial Services Sector Leads in Fixing Application Flaws, Lags in Time to Remediate

BURLINGTON, Mass. – Nov. 16, 2020 Veracode, the largest global provider of application security testing (AST) solutions, today released findings revealing that the financial services industry has the best flaw fix rate across six industries and leads a majority of industries in uncovering flaws within open source components. Fixing open source flaws is critical because the attack surface of applications is much larger than developers expect when open source libraries are included indirectly.

The findings came as a result of Veracode’s State of Software Security Volume 11, which analyzed 130,000 applications from 2,500 companies. The research found that financial services organizations have the smallest proportion of applications with flaws and the second-lowest prevalence of severe flaws behind the manufacturing sector. It also has the highest fix rate among all industries, fixing 75% of flaws. Still, the research found that financial services firms require about six and a half months to resolve half of the flaws they find, indicating it is slower than other industries to remediate.

“Financial services firms have a median time to remediation of more than six months, despite having a high fix rate compared to other sectors,” said Chris Wysopal, Chief Technology Officer at Veracode. “However, developers in the financial services industry are often limited by the nature of the environments they are working in, as applications tend to be older, have a medium flaw density, and aren’t consistently following DevSecOps practices compared to other industries. With some additional training and sticking to best practices, they can quickly remediate issues and start to reduce security debt.”

Financial Services Specific Findings

Veracode’s research found compelling evidence that certain developer behaviors associated with DevSecOps yield substantial benefits to software security. The findings detail that financial services firms:

  • Are a leading industry when it comes to fixing flaws in their open source software and establishing strong scan cadences.
  • Fall to middle-of-the-road for scanning frequency and integrating security testing, and are not likely to be using dynamic analysis (DAST) scanning technology to uncover vulnerabilities.
  • Outperform averages across all industries in dealing with issues related to cryptography, input validation, Cross-Site Scripting, and credentials management – all things related to protecting users of financial applications.

For more information on common flaws and findings, download

Veracode’s State of Software Security Volume 11, and find the SOSS 11 Financial Infosheet here.

About the State of Software Security Report

Veracode’s State of Software Security (SOSS) Volume 11 report is a comprehensive review of application security testing data from scans of more than 130,000 active applications conducted by Veracode’s customer base of more than 2,500 companies. This represents the industry's most comprehensive set of application security benchmarks. Veracode collaborated with data scientists at Cyentia Institute to better visualize and understand new threats and how developers can make applications better and more secure.


About Veracode

Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.

Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and Twitter.

Copyright © 2024 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.

 

Press and Media Contacts

Veracode:
Katy Gwilliam,
Head of Global Communications, Veracode
kgwilliam@veracode.com
+44.7584.341.110
Related Links
veracode.com


BROWSE RESOURCES


  • resource image

    Analyst
    Reports

  • resource image

    Blogs

  • resource image

    Customer
    Stories

  • resource image

    Demos

  • resource image

    News

  • resource image

    Research

  • resource image

    Tips
    and Tricks

  • resource image

    Webinars,
    Videos,
    & Podcasts

  • resource image

    Whitepapers
    and eBooks