The 12th volume of our annual State of Software Security (SOSS) report is now live! Rather than examining a single year of activity associated with an application, in this year's report we looked at the entire history of active applications. By doing so, we can view the full life cycle of applications, which results in more accurate metrics and observations. Aside from looking at the past, we also imagined the future by considering practices — such as Veracode Security Labs training — that might help improve application security.
As with all of our SOSS reports, the goal is to help you make informed decisions about your software security program so that you can minimize risk, protect your applications, and meet industry regulations.
Some key takeaways:
Time is a competitive currency for software development teams.
The world is becoming more connected than ever before. But it’s not just increased connectivity that’s shaping the security landscape — it’s the hypercompetitiveness and the need to constantly innovate. This need for speed is driving development teams to adopt native cloud technologies, agile methodologies, open-source code, and microservices.
The adoption of microservices is made evident by an increase in the number of applications scanned as well as a pivot to one-language applications. Organizations are scanning more than triple the number of apps scanned per quarter a decade ago. And over the past four years, organizations decreased their use of applications with multiple languages from 20 percent down to less than 5 percent.
Companies using multiple scan types fix flaws faster.
Continuous testing and integration, which includes security scanning in pipelines, is becoming the norm. We've seen a 31 percent increase in the use of multiple scanning types between 2018 and 2021, with much of that gain coming from customers using the full suite of static, dynamic, and software composition analysis (SCA) scans. This trend reinforces a finding from last year’s State of Software Security report v11, which found that companies using dynamic in addition to static scanning remediated 50 percent of flaws 24 days faster, and companies using static scanning and software composition analysis shaved off six days.
Organizations reap the rewards of developer security training.
Veracode’s research uncovered the positive impact of hands-on security training. Companies whose developers had completed at least one lesson in Veracode Security Labs fixed 50 percent of flaws 35 percent faster than organizations without such training.
To learn more about our findings, check out the full report.