It’s the 10th anniversary of our State of Software Security (SOSS) report! This year, like every year, we dug into our data from a recent 12-month period (this year we analyzed 85,000 applications, 1.4 million scans, and nearly 10 million security findings), but we also took a look back at 10 years of software security. With a decade’s worth of analysis about software vulnerabilities and the best ways to address them, we’re in a unique position to offer insights into creating secure code. There’s a lot to unpack in our most recent SOSS, including some then vs. now comparisons, a look at the most popular vulnerabilities, and a deep dive into security debt. Here are the five takeaways we consider most noteworthy for security professionals:
Eighty-three percent of applications have at least one flaw in their initial scan. And we’ve been hovering around that number for the past decade. In addition, the types of flaws that were plaguing code a decade ago are still wreaking havoc today. The top two flaw types seen in code 10 years ago are the same top two we saw this past year: information leakage and cryptographic issues. And many of the top 10 flaws in Volume 1 remain on the top 10 list today, including CRLF injection, Cross-Site Scripting, SQL Injection, and Credentials Management.
What is going on here? We’ve said it before, and we’ll say it again: we need to do a better job helping developers create secure code. We recently partnered with DevOps.com to conduct a survey surrounding DevSecOps skills and found that less than one in four developers or other IT pros were required to take a single college course on security. Meantime, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security.
In the good news department, we do see improvement in fix rates. For example, half of applications showed a net reduction in flaws over the sample time frame. Another 20 percent either had no flaws or showed no change. This means 70 percent of development teams are keeping pace or pulling ahead in the flaw-busting race! However, we also found that teams are prioritizing newly found security flaws over older flaws, leading to security debt piling up. This year’s data reveals that flaws are much more likely to be fixed soon after they’re discovered.
As we said above, developers are doing a better job fixing what they find, and they are prioritizing both the most recently discovered, and the most severe. On the one hand, this is good news. On the other, we found the security debt that has accumulated across organizations is comprised primarily of Cross-Site Scripting, with Injection, Authentication, and Misconfiguration flaws making up sizable portions as well. This is noteworthy because Injection is the second most prevalent flaw category in reported exploits. Bottom line: Exploitability of a flaw needs to be prioritized, and older flaws need to be addressed. An older injection flaw is just as dangerous as a newly discovered one.
This year’s report also looked at the effect of both scanning cadence and frequency on security debt and fix rate. And the results were striking. Those that scanned the most, and the most regularly, had dramatically better fix rates and less security debt. In fact, those with the highest scan frequency (260+ scans per year) had 5x less security debt, and a 72 percent reduction in median time to remediation.
Looking at the software security trends in your own industry gives you an idea of how your program compares, and where to focus your security efforts.
And we did find some significant differences this year in how different industries are tackling AppSec. For instance, we found that organizations in the retail sector are doing the best job at keeping security debt at bay, while those in the government and education space are doing the worst.
The infrastructure industry is fixing flaws almost 4X faster than any other industry, and 13X faster than the median time to remediation for healthcare. The financial industry has an impressive fix rate, but one of the slowest median times to remediation.
You’ll find all the SOSS X industry infosheets, which include details on which vulnerabilities are most common in each industry, on our Resources page.
Read the full SOSS report to learn more about best practices that can help keep your software security. Check out our SOSS X page for access to the full report, additional data highlights, videos of Veracode experts discussing the results, and more.