Blog

Community

Veracode Community Partner Community

Schedule a Demo

Products

Manage your entire AppSec program in a single platform.

Simplify vendor management and reporting with one holistic AppSec solution.

Empower developers to write secure code and fix security issues fast.

Get expertise and bandwidth from Veracode to help define, scale, and report on an AppSec program.

Products & Services

Veracode delivers the AppSec solutions and services today's software-driven world requires. Meet the needs of developers, satisfy reporting and assurance requirements for the business, and create secure software.

View Product

Application Analysis

Veracode simplifies AppSec programs by combining five application security analysis types in one solution, all integrated into the development pipeline.

Static Analysis (SAST) Software Composition Analysis (SCA) Dynamic Analysis (DAST) Discovery Penetration Testing

Developer Enablement

With automated, peer, and expert guidance, developers can fix – not just find – issues and reduce remediation time from 2.5 hours to 15 minutes.

Security Labs Security Labs Community Edition eLearning Customer Success Packages

AppSec Governance

AppSec programs can only be successful if all stakeholders value and support them. That’s why Veracode enables security teams to demonstrate the value of AppSec using proven metrics.

Analysis Center Discovery Customer Success Packages

Solutions

Our Approach

Veracode gives you solid guidance, reliable and responsive solutions, and a proven roadmap for maturing your AppSec program. By increasing your security and development teams’ productivity, we help you confidently achieve your business objectives.

Achieve DevSecOps Security as an Advantage Reduce Risk Meet Compliance Executive Order on Cybersecurity

Financial Services Software & Technology Retail & Ecommerce Healthcare Government

Prove at a glance that you’ve made security a priority and that your program is backed by one of the most trusted names in the industry.

Program Overview Verified Directory Get Verified

Developers

Developer Center

Documentation Quick Start Guide Scan Code Integrations API Reference

AppSec Knowledgebase Vulnerability Database Developer Community Contact Support

Status Page Product News

Veracode provides workflow integrations, inline guidance, and hands-on labs to help you confidently secure your 0s and 1s without sacrificing speed.

Secure Code Training

Partners

Partner Ecosystem

Veracode’s comprehensive network of world-class partners helps customers confidently, and securely, develop software and accelerate their business.

Find a Partner

Solution Providers Global System Integrators Technology Alliances & Integrations

Expand your offerings and drive growth with Veracode’s market-leading AppSec solutions. Access powerful tools, training, and support to sharpen your competitive edge.

Partner Program Overview Become a Partner Visit Partner Community

Resources

About Us

Survey: How Teams are Using Software Components in the Age of DevOps

By Neil DuPaul

April 10, 2018

Secure Development Managing AppSec

New research: Only 52% of developers using components in their apps update them when a new vulnerability is announced

Open source components have gone mainstream. With every company undoubtedly becoming a software company, open source and commercial components are a vital element in developing applications at the speed of DevOps. But while they’re a powerful tool for adding features and functionalities to applications in relatively short order, they also introduce remarkable security risks.

Wanting to better understand developers’ perspectives around open source and commercial components, we conducted research with Vanson Bourne to help us to understand how and why developers use them, who’s responsible for maintaining them and how they keep track of the components in their applications. What we learned is that organizations’ still lack security awareness: only 52 percent of developers using components in their apps update them when a new security vulnerability is announced.

This number is important, especially when you consider that a single open source vulnerability in an Equifax web server exposed the financial data of 143 million Americans, costing Equifax hundreds of millions of dollars and the trust of their customers. Even with this extreme example, there is still a gap in AppSec:

More than 80 percent of respondents report using either or both commercial and open source components, with an average of 73 components being used per application.
The development (44 percent) or security (31 percent) teams are most likely to be responsible for the maintenance of third-party commercial and open source components, which suggests a move towards responsibility for the development team.
But only 71 percent of organizations report having a formal application security (AppSec) program in place.
Just over half (53 percent) of organizations keep an inventory of all components (top level and sub components) in their application.

While we’re thrilled to see that there is increased clarity around who is responsible for maintaining components. That said, it’s hard to know what to patch – and when – without comprehensive visibility into all of the components in play.

To learn more about Veracode’s Software Composition Analysis solution, and how it can help your teams mitigate third-party risk with a Modern Software Factory approach, click here.

Survey: How Teams are Using Software Components in the Age of DevOps

New research: Only 52% of developers using components in their apps update them when a new vulnerability is announced

Related Content