State of Software Security Reports

State of Software Security Report Volume 5

This report examines application security quality, remediation and policy compliance statistics and trends. Our analysis of tens of thousands of applications with Veracode's cloud-based platform found that 87% of web applications are not compliant with the OWASP Top 10, while 69% of non-web applications  are not compliant with the CWE/SANS Top 25.  

The data analyzed represents multiple security testing methodologies (including static binary, dynamic and manual pen testingl) on a wide range of application types (web, mobile and legacy/non-web) and programming languages (including Java, C/C++, .NET, PHP and ColdFusion). We also expanded our analysis of the mobile vulnerability landscape with sections on Android, iOS and Blackberry applications. The resulting intelligence is unique in the breadth and depth it offers.

Volume 5 (40 Pages)
April 8th, 2013

Get the full report

Veracode State of Software Security Report – Feature Supplement on Public Companies

Veracode has been publishing a semi-annual State of Software Security (SOSS) report since 2010. Over time we have received significant interest in our findings and numerous requests to investigate the dataset from many different perspectives that may not be routinely covered in our semi-annual reports. To satisfy the curiosity of our readers and to allow us to extend our investigation to topical areas, we are moving to a new reporting format in 2012. This year we are publishing shorter feature supplements that are designed to address a particular, focused topic, and only release the full SOSS report once a year. This report is the first feature supplement for 2012.

Get the full report

State of Software Security Report - Feature Supplement on Software Supply Chain

This featured supplement focuses on the state of enterprise programs that assess the security of software purchased from vendors. Veracode can uniquely report on how program practices evolve because our analysis is based on data aggregated from companies as they test real applications. The data represents intelligence gleaned from over 900 application builds submitted by software vendors to Veracode's cloud-based platform in an 18 month time-frame.

Get the full report

State of Software Security Report Volume 4

Veracode's State of Software Security is the first report of its kind to provide security intelligence derived from multiple testing methodologies (static, dynamic, and manual) on the full spectrum of application types (components, shared libraries, web, and non-web applications) and programming languages (including Java, C/C++, and .NET) from every part of the software supply chain on which  organizations depend.  It represents intelligence gleaned from analyzing billions of lines of code submitted to Veracode for independent verification of software security from more than 15 industries.

Volume 4 (60 Pages)
December 7th, 2011

Get the full report

Veracode State of Software Security Volume 4 Executive Summary

Veracode State of Software Security Report, a twice-yearly benchmark study has tremendous amounts of data.  To review a six (8) page executive summary that contains the seven (7) key findings click below.

Get the full report

State of Software Security Report Volume 3

Veracode's third State of Software Security report gleaned from analyzing billions of lines of code submitted to Veracode.

Volume 3 (50 Pages)
April 19, 2011

Get the full report

Veracode State of Software Security Volume 3 Executive Summary

Veracode State of Software Security Report, a twice-yearly benchmark study has tremendous amounts of data.  To review a six (6) page executive summary that contains the seven (7) key findings click below.

Get the full report

State of Software Security Report Volume 2

Veracode's second State of Software Security report gleaned from analyzing billions of lines of code submitted to Veracode.

Volume 2 (36 Pages)
September 22nd, 2010

Get the full report

Veracode State of Software Security Volume 2 Executive Summary

Veracode State of Software Security Report, a twice-yearly benchmark study has tremendous amounts of data.  To review a six (6) page executive summary that contains the seven (7) key findings click below.

Get the full report

Veracode State of Software Security Volume 1 Executive Summary

Veracode State of Software Security Report, a twice-yearly benchmark study has tremendous amounts of data.  To review a six (6) page executive summary that contains the seven (7) key findings click below.

Get the full report

State of Software Security Report Volume 1

Veracode's very first State of Software Security report gleaned from analyzing billions of lines of code submitted to Veracode.

Volume 1 (32 Pages)
March 1st, 2010

Get the full report