It's here! Data junkies rejoice!

Today we're proud to release the third volume of our semi-annual State of Software Security report. This edition incorporates data from 4,835 applications analyzed via our cloud-based platform over the past 18 months. After lots of number crunching and a fair amount of head scratching, we've unearthed some intriguing findings that reflect the progress (or lack thereof) being made in securing the world's software.

Not convinced yet? Here are a few of the data points I found particularly interesting:

  • Over the past 8 quarters, the prevalence of SQL Injection (% of web apps affected) has decreased slightly, but XSS has remained flat.
  • Security products perform worse than most other software suppliers in terms of acceptable security quality on first submission.
  • Over half of developers who take our Application Security Fundamentals exam receive a grade of C or lower.
  • Security quality scores are similar for companies across all revenue brackets, and there is no discernible difference between public and private companies.

And there's a lot more where that came from. Plus histograms, whisker plots, linear regressions, and more! Download the full report to get all the juicy details, then come back here and tell us what you think. Enjoy!

Veracode Security Solutions


Security Threat Guides

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (3)

Clerkendweller | April 22, 2011 7:57 am

Great new report. Thanks so much for the extra information on remediation efforts.

Any chance of finding out if any of the big suppliers of outsourced software development, who are also active in the software security space, have a better security quality track record than other companies?

Rob Haines | April 27, 2011 11:29 am

Have you (or are you considering) sending any input to NIST for SP800-53rev4? One of their focus areas is software application security (including web apps).

Amelia @ Ethical Hacking | July 4, 2011 1:28 pm

Interesting updates in this report.

It speaks clearly of how various industries' software infrastructure continue to be highly vulnerable despite efforts to continuously up acceptability levels of security quality.

"[Seventy-two] percent of security products and services applications had unacceptable security quality" -- the glaring facts and figures on security vendors' vulnerability trends in their security products.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.