Veracode’s 10th State of Software Security Report Finds Organizations Reduce Rising ‘Security Debt’ via DevSecOps, Special Sprints

Report Marks a Decade of Insight into Evolution of AppSec and Shows Teams Progressing Toward Secure Development

BURLINGTON, Mass. – Oct. 22, 2019 – Veracode, a leading provider of application security testing (AST) solutions, today announced the findings of the State of Software Security (SOSS) Volume 10 report. The 10th installment of the industry’s most comprehensive research on application security data finds that more than half of all security findings (56%) are fixed, but a focus on fixing new findings while neglecting aging flaws leads to increasing security debt. 

After analyzing more than 85,000 applications across more than 2,300 companies worldwide, the research found that fixing vulnerabilities has become just as much a part of the development process as improving functionality, suggesting developers are shifting their mindset to view the security of their code as equal to other value metrics.

“Over the past 10 years, we’ve seen a vast improvement in the overall state of application security. We’ve gone from having to discuss why AppSec is important to having conversations about the best way to approach the problem. This change is reflected in the data that shows companies are fixing a higher percentage of flaws than ever before,” said Chris Wysopal, cofounder and Chief Technology Officer at Veracode. “However, the report also shows us there is plenty of room for improvement, specifically when it comes to the issue of mounting security debt. Like credit card debt, even carrying a small balance forward on a recurring basis can quickly leave you in the hole.”

SOSS Volume 10 sheds light on best practices for organizations to make security habitual and lighten their security debt load, including frequent testing and a plan for tackling this debt.

While much has changed since the first SoSS report was published nearly 10 years ago, the new report reveals that many of the flaws we saw in the past remain persistent today. Overall, 83% of applications have at least one flaw in the initial scan, and information leakage (64%), cryptographic issues (62%), and CRLF injection (61%) are the most common flaws. Interestingly, cryptographic issues and information leakage were also the top two most common flaws in SOSS Volume 1. Despite the continued prevalence of flaws, development teams are making strides in keeping up with these vulnerabilities - 70% are either reducing the number of flaws after first scan or not introducing any other flaws by the time of the final scan. The pass rate for OWASP Top 10 compliance on the initial scan this year also reversed a three-year decline by rising to 32%, demonstrating that secure development education is helping to reduce the introduction of flaws.

Developers are in a race to fix faster than security debt accumulates

The report reveals that the longer flaws stick around, the chances they will be corrected diminish, which adds to an organization’s security debt. Security debt — defined as aging and accumulating flaws in software — is emerging as a significant pain point for organizations across industries. About half of applications are accruing debt over time, a quarter are driving it down, and another quarter are breaking even.

“The overall prevalence of flaws rose 11% since we first reported it 10 years ago, but the proportion of those flaws assessed to be of high severity dropped 14% over the same period. The data shows developers are very likely to fix high severity flaws so there is solid evidence that development teams are getting better at figuring out which flaws are the most important to fix first,” said Chris Eng, Chief Research Officer at Veracode.

Organizations must address the new security findings while chipping away at the old. The data indicated that how frequently an application is scanned has a direct impact on overall security debt. The top 1% of applications with the highest scan frequency carry about five times less security debt than the bottom third, suggesting frequent scanning does more than help find flaws; it helps companies significantly reduce risk.

DevSecOps delivers a huge spike in fix rates

The frequency and cadence of security testing are tied to changing habits to reduce security debt. Applications scanned less than once per month require a median time to remediate (MedianTTR) of 68 days, yet development teams scanning daily show an MTTR of just 19 days, contributing to lower security debt accumulation over time. Organizations can also reduce security debt by creating security checklists for developers for all new features and scanning codebases following each nightly build.

“Development teams can’t ignore the findings nor choose to fix the new flaws rather than the old ones. Instead, they should make a plan to fix the new findings and use periodic ‘security sprints’ to fix unresolved flaws that could be exploited,” Eng said.

The data reveals 30% of applications show an increased number of flaws in their latest scan, an indication that security debt is accruing. This doesn’t necessarily imply those development teams are doing a bad job managing flaws – it could represent a period of rapid growth and change – but it does highlight that organizations should think about how frequent AppSec testing within DevOps environments can make a positive impact on security debt.

EMEA lags in time to fix flaws, but keeps security debt under control

The report also shows regional differences in several key measures of software security testing. Companies in EMEA had the fewest high severity flaws (32%), followed by the Americas (37%) and Asia-Pacific (40%). The Americas and EMEA impressively fixed their flaws at the same rate (73 and 72% respectively), while APAC fixed just over half (55%). In the past, discrepancies between the Americas and EMEA regions were much larger. The similar fix rates in the region suggests organizations in EMEA are maturing their AppSec programs to rival those in the Americas. However, when it comes to median time to remediate, the results are very different. APAC comes in well ahead at 42 days, followed by the Americas at 56 days, while companies in EMEA trail at 147 days average time to remediate flaws.

Looking at security debt per application, organizations in the Americas come out on top with the fewest at 156 flaws per app, while EMEA carries 210 flaws per app and APAC 732 flaws per app. While organizations in EMEA generally appear to take longer to fix flaws, they still manage to keep debt under control – likely tracing back to the lower starting point for flaw prevalence. This again indicates a dedicated focus to fixing flaws over time, rather than fixing as flaws are found.

Download Veracode’s State of Software Security Volume 10 here. Learn more about the Veracode Platform here.

About the State of Software Security Report
Veracode’s State of Software Security (SOSS) Volume 10 report is a comprehensive review of application security testing data from scans of more than 2 trillion lines of code conducted by Veracode’s base of more than 2,300 companies. This represents the industry's most comprehensive set of application security benchmarks. For this iteration, Veracode collaborated with data scientists at Cyentia Institute to better visualize and understand vulnerability fix behavior.

---