BURLINGTON, Mass. – Nov. 16, 2020 – Veracode, the largest global provider of application security testing (AST) solutions, today released findings revealing that the financial services industry has the best flaw fix rate across six industries and leads a majority of industries in uncovering flaws within open source components. Fixing open source flaws is critical because the attack surface of applications is much larger than developers expect when open source libraries are included indirectly.
The findings came as a result of Veracode’s State of Software Security Volume 11, which analyzed 130,000 applications from 2,500 companies. The research found that financial services organizations have the smallest proportion of applications with flaws and the second-lowest prevalence of severe flaws behind the manufacturing sector. It also has the highest fix rate among all industries, fixing 75% of flaws. Still, the research found that financial services firms require about six and a half months to resolve half of the flaws they find, indicating it is slower than other industries to remediate.
“Financial services firms have a median time to remediation of more than six months, despite having a high fix rate compared to other sectors,” said Chris Wysopal, Chief Technology Officer at Veracode. “However, developers in the financial services industry are often limited by the nature of the environments they are working in, as applications tend to be older, have a medium flaw density, and aren’t consistently following DevSecOps practices compared to other industries. With some additional training and sticking to best practices, they can quickly remediate issues and start to reduce security debt.”
Financial Services Specific Findings
Veracode’s research found compelling evidence that certain developer behaviors associated with DevSecOps yield substantial benefits to software security. The findings detail that financial services firms:
- Are a leading industry when it comes to fixing flaws in their open source software and establishing strong scan cadences.
- Fall to middle-of-the-road for scanning frequency and integrating security testing, and are not likely to be using dynamic analysis (DAST) scanning technology to uncover vulnerabilities.
- Outperform averages across all industries in dealing with issues related to cryptography, input validation, Cross-Site Scripting, and credentials management – all things related to protecting users of financial applications.
For more information on common flaws and findings, download
About the State of Software Security Report
Veracode’s State of Software Security (SOSS) Volume 11 report is a comprehensive review of application security testing data from scans of more than 130,000 active applications conducted by Veracode’s customer base of more than 2,500 companies. This represents the industry's most comprehensive set of application security benchmarks. Veracode collaborated with data scientists at Cyentia Institute to better visualize and understand new threats and how developers can make applications better and more secure.
Veracode is intelligent software security. The Veracode Software Security Platform continuously finds flaws and vulnerabilities at every stage of the modern software development lifecycle. Prompted by powerful AI trained by trillions of lines of code, Veracode customers fix flaws faster with high accuracy. Trusted by security teams, developers, and business leaders from thousands of the world’s leading organizations, Veracode is the pioneer, continuing to redefine what intelligent software security means. Learn more at www.veracode.com, on the Veracode blog, on Linkedin, and on Twitter.
Copyright © 2023 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.