/oct 27, 2020

Veracode State of Software Security: Half of Application Security Flaws Remain Open Six Months After Discovery; Apps with Technical Debt Take Two Times as Long to Fix

SOSS Volume 11 finds 76% of applications have at least one security flaw

BURLINGTON, Mass. – Oct. 27, 2020 Veracode, the largest global provider of application security testing (AST) solutions, today announced the State of Software Security (SOSS) Volume 11 revealing the majority of applications contain at least one security flaw and fixing those flaws typically takes months. This year’s analysis of 130,000 applications found that it takes about six months for teams to close half the security flaws they find.

The report also uncovered some best practices to significantly improve these fix rates. Veracode found there are some factors that teams have very little control over, and those that they have have a lot of control over, categorizing them as “nature vs. nurture”.  Within the “nature” side Veracode considered factors such as the size of the application and organization as well as security debt, while the “nurture” side accounts for actions such as scanning frequency, cadence, and scanning via APIs.

Fixing Security Flaws: Nature or Nurture?

SOSS 11 revealed that addressing issues with modern DevSecOps practices results in higher flaw remediation rates. For example, using multiple application security scan types, working within smaller or more modern apps, and embedding security testing into the pipeline via an API all make a difference in reducing time to fix security defects, even in apps with a less than ideal “nature.” 

“The goal of software security isn’t to write applications perfectly the first time, but to find and fix the flaws in a comprehensive and timely manner,” said Chris Eng, Chief Research Officer at Veracode. “Even when faced with the most challenging environments, developers can take specific actions to improve the overall security of the application with the right training and tools.”

Other key findings of SOSS 11 include:

  • Flawed applications are the norm: 76% of applications have at least one security flaw, but only 24% have high-severity flaws. This is a good sign that most applications do not have critical issues that pose serious risks to the application. Frequent scanning can reduce the time it takes to close half of observed findings by more than three weeks.
  • Open source flaws on the rise: while 70% of applications inherit at least one security flaw from their open source libraries, SOSS 11 also found that 30% of applications have more flaws in their open source libraries than in the code written in-house. The key lesson is that software security comes from getting the whole picture, which includes identifying and tracking the third-party code used in applications.
  • Multiple scan types prove efficacy of DevSecOps: teams using a combination of scan types including static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA) improve fix rates. Those using SAST and DAST together fix half of flaws 24 days faster.
  • Automation matters: those who automate security testing in the SDLC address half of the flaws 17.5 days faster than those that scan in a less automated fashion.
  • Paying down security debt is critical: the link between frequently scanning applications and faster remediation times has been established in Veracode’s prior State of Software Security research. This year’s report also found that reducing security debt – fixing the backlog of known flaws – lowers overall risk. SOSS 11 found that older applications with high flaw density experience much slower remediation times, adding an average of 63 days to close half of flaws.

Download Veracode’s State of Software Security Volume 11, and click here to learn why Veracode is the best partner for DevSecOps.

About the State of Software Security Report

Veracode’s State of Software Security (SOSS) Volume 11 report is a comprehensive review of application security testing data from scans of more than 130,000 active applications conducted by Veracode’s customer base of more than 2,500 companies. This represents the industry's most comprehensive set of application security benchmarks. Veracode collaborated with data scientists at Cyentia Institute to better visualize and understand new threats and how developers can make applications better and more secure.


About Veracode

Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.

Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and Twitter.

Copyright © 2024 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.

 

Press and Media Contacts

Veracode:
Katy Gwilliam,
Head of Global Communications, Veracode
kgwilliam@veracode.com
+44.7584.341.110
Related Links
veracode.com


BROWSE RESOURCES


  • resource image

    Analyst
    Reports

  • resource image

    Blogs

  • resource image

    Customer
    Stories

  • resource image

    Demos

  • resource image

    News

  • resource image

    Research

  • resource image

    Tips
    and Tricks

  • resource image

    Webinars,
    Videos,
    & Podcasts

  • resource image

    Whitepapers
    and eBooks