Today marks a big milestone for Veracode, and for the application security industry – we’re releasing the 10th volume of our State of Software Security (SOSS) report. 10 SOSS reports and 80,000+ apps later, we’ve accumulated a lot of data, and a lot of insights, about application security trends and best practices. This year, we took a look back at the AppSec picture over the past 10 years, and dug into the data amassed from our security scans from April 2018 to March 2019. Some big takeaways:
The more things change, the more they stay the same: We’ve seen some positive movement this year, but we’ve got a long way to go. The same vulnerabilities are populating the top 10 list, and the percentage of applications that have at least one vulnerability on initial scan has remained high and stagnant over the past 10 years. Secure coding training is clearly still a critical component of any security program.
We’ve moved beyond just finding flaws to fixing them: Our VP of Services Pejman Pourmousa was recently quoted saying, “you can’t scan your way to secure code.” And that sentiment appears to be gaining momentum. This year’s data, especially compared to data over the past 10 years, reveals that developers are indeed focused on fixing the security flaws they find more than ever before. For example, half of applications showed a net reduction in flaws over the sample time frame. Another 20% either had no flaws or showed no change. This means 70% of development teams are keeping pace or pulling ahead in the flaw-busting race!
Security debt is piling up: Although fix rates are improving, most organizations are prioritizing newly found security flaws, while letting older, unaddressed flaws linger. This accumulation of security debt is both illustrated in our SOSS data and has started to emerge as a pain point in our conversations with customers. But this year’s data also provides some compelling evidence surrounding steps organizations can take to start chipping away at that debt. In particular, organizations that are scanning the most are carrying 5x less security debt than those scanning the least.
See below for the data highlights, and check out the full report for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.