Research

Application security testing, analysis, and metrics

State of Software Security, Volume 3

Posted by Chris Eng in RESEARCH, April 19, 2011 | Comments (4)  

It’s here! Data junkies rejoice!

Today we’re proud to release the third volume of our semi-annual State of Software Security report. This edition incorporates data from 4,835 applications analyzed via our cloud-based platform over the past 18 months. After lots of number crunching and a fair amount of head scratching, we’ve unearthed some intriguing findings that reflect the progress (or lack thereof) being made in securing the world’s software.

Not convinced yet? Here are a few of the data points I found particularly interesting:

  • Over the past 8 quarters, the prevalence of SQL Injection (% of web apps affected) has decreased slightly, but XSS has remained flat.
  • Security products perform worse than most other software suppliers in terms of acceptable security quality on first submission.
  • Over half of developers who take our Application Security Fundamentals exam receive a grade of C or lower.
  • Security quality scores are similar for companies across all revenue brackets, and there is no discernible difference between public and private companies.

And there’s a lot more where that came from. Plus histograms, whisker plots, linear regressions, and more! Download the full report to get all the juicy details, then come back here and tell us what you think. Enjoy!

Veracode Security Solutions

Security Threat Guides
4 Comments »

Great new report. Thanks so much for the extra information on remediation efforts.

Any chance of finding out if any of the big suppliers of outsourced software development, who are also active in the software security space, have a better security quality track record than other companies?

Comment by Clerkendweller — April 22, 2011 @ 7:57 am

[...] Volume 3 provides further insight into the results of static binary, dynamic, and manual security testing of almost 5,000 applications over the last 18 months from Veracode’s wide client base. The data covers both web and non-web application code in the most common programming languages: C/C++, ColdFusion, Java, .NET and PHP. [...]

Pingback by State of Software Security Report Volume 3 | Web Design Northamptonshire — April 23, 2011 @ 5:50 pm

Have you (or are you considering) sending any input to NIST for SP800-53rev4? One of their focus areas is software application security (including web apps). http://csrc.nist.gov/groups/SMA/fisma/documents/800-53-Rev4_announcement.pdf

Comment by Rob Haines — April 27, 2011 @ 11:29 am

Interesting updates in this report.

It speaks clearly of how various industries’ software infrastructure continue to be highly vulnerable despite efforts to continuously up acceptability levels of security quality.

“[Seventy-two] percent of security products and services applications had unacceptable security quality” — the glaring facts and figures on security vendors’ vulnerability trends in their security products.

Comment by Amelia @ Ethical Hacking — July 4, 2011 @ 1:28 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress