In the past year, we’ve seen an unprecedented series of cyber assaults on democratic elections, ransomware attacks that spread around the world affecting hundreds of thousands of systems in more than 150 countries, and record-breaking data breaches. If we’re going to address this growing crisis effectively, we need a probing inspection of root causes, and fearless prescriptions for new ways forward.
The data available within the CA Veracode Application Security Platform, collected from hundreds of thousands of application scans by our base of 1,600 customers, provides the clearest view into the vulnerabilities and risks in software. Therefore, the State of Software Security report, which draws from the broad and deep pool of our cloud-based platform data, is an essential tool in building an adequate response to the growing threats.
This year’s State of Software Security, the eighth edition of this research report, is our biggest and most comprehensive yet. In addition to examining the data collected from scans over a 12 month period spanning 2016 and 2017, we’re comparing this year’s numbers with data from the last several reports, to spot the trends. We looked at many of the same metrics as in past reports, and added some new ones.
We continued our investigation of major application risks such as code re-use from open source libraries, and once again examined the impact of DevOps practices on application security. Furthermore, we spent time examining issues that we haven’t focused on in the past, including vulnerabilities in identity management and the effects IT operations has on applications in production. Like previous reports in this series, State of Software Security 2017 also breaks down the numbers by industry, and continues our emphasis on developer behavior and the security skills gap.
The most basic conclusion of the report is that software is broadly insecure before it is put through the rigors of security testing and remediation. Some key metrics prove that out. For instance, 77 percent of applications have at least one vulnerability on initial scan, and 12 percent of applications have a very high or high severity vulnerability when first scanned. One piece of good news is that the fix rate for very high and high severity vulnerabilities (37 percent) is nearly double the overall vulnerability fix rate (19 percent), indicating that organizations are wisely prioritizing the most severe vulnerabilities.
One of the more worrisome trends is the prevalence of vulnerable components in applications: 88 percent of Java applications have at least one vulnerability in a component, and vulnerable components are rarely updated when a security patch is available. Another indicator of broad insecurity is the pass rate against OWASP Top 10 policy, which declined in the past year to just 30 percent of applications on initial scan.
Although many of these statistics point to the need for improved application security practices, we have found evidence of what works, with encouraging signs of organizations making significant improvements in their application security posture. For instance, organizations that scan their applications more frequently during development fix 48 percent more flaws than those doing only policy scans. And when developers receive remediation consulting from security experts, they fix 88 percent more flaws. Organizations make big gains in securing their applications when they stick with the program, with the most mature application security programs having a 35 percent better all-time OWASP policy pass rate than those just starting out.
There is hope that, armed with the data from this report, more organizations will begin to make a shift to secure their applications throughout the software lifecycle. And we’re continuing to think about how we can use this research to better serve our customers, and the broader community of security professionals and developers.
In addition to the report, we’re offering more tools and content to help you explore and assimilate all this information. On our State of Software Security content hub, you’ll find a data explorer tool, which allows you to filter the enormous dataset by industries, programming languages, company size, and geography. The data explorer tool, combined with several industry cheatsheets, can help you compare your organization’s performance against others. Plus, you’ll find brief videos in which our experts describe some of the key themes from the research, and offer tips and best practices.
For a preview of what's inside the report, check out the video and infographic below. Of course, the full report offers the most complete view, with dozens of charts plotting the trends, and data-driven analysis. You can read the report in a digital format, which offers interactive charts and embedded videos. We also offer the report as a PDF, so you can save it or print it for easy reference. However you choose to look at it, we’re confident that you’ll find a lot of value in the State of Software Security 2017 report.