State of Software Security

Read the Report
Overview DevSecOps Flaw Persistence Open Source Industry View Read The Report

SOSS 2018 - Stat Card Set

 

700,000

scans analyzed for the report

 

2 Trillion

lines of code scanned over 12 months

 

22 Million

flaws found over 12 months

 

8.7 Million

flaws fixed over 12 months


What Does SOSS Mean For You?


Veracode presents volume 9 of the State of Software Security (SOSS) report, our comprehensive review of application testing data. This year’s SOSS report includes extensive analysis of the results from more than 700,000 application scans, analyzed for trends in vulnerability prevalence, remediation, industry performance, and more. We’ve also taken it one step further by introducing flaw persistence, which allows us to provide better visibility into the factors that go into fixing flaws. This year’s research shows that more than 70% of all flaws remain one month after discovery, and nearly 55% remain three months after discovery. Plus, we share evidence that DevSecOps unicorns do exist, and they’re fixing flaws 11.5x faster than the typical organization.

Read the report to gain valuable perspective on the state of software security today.

State of Software Security Video

State of Software Security Vol. 9 by the Numbers

When it comes to the overall state of software security, there is still some room for improvement in AppSec. The rate of OWASP compliance declined for the third year in a row, with OWASP Top 10 initial scan pass rates only reaching 22.5%. What’s more, over 85% of all applications have at least one vulnerability in them; over 13% of applications have at least one very high severity flaw.

For more of the top takeaways from this year’s report, check out the infographic.

The DevSecOps Effect


There is a strong correlation between how many times an organization scans and how quickly they address their vulnerabilities. DevOps or Agile-driven development teams are scanning more often, and as a result, they are making incremental improvements every time they test. As you can see in the figure to the right, once organizations hit 300 or more scans per year – the true territory of DevSecOps unicorns – they are seeing the fix velocity going into overdrive.

Flaw Remediation and Mitigation Are the Ultimate AppSec Objectives

This year, we partnered with the data science team at Cyentia Institute to bring you the first-ever look at flaw persistence. This helps us to look at vulnerability fix behavior, and break down how different variables like flaw type, severity, app criticality, and rate of scanning impact the fix velocity and, conversely, the persistence of flaws once they've been discovered.

Watch the video to hear Tim Jarrett, Sr. Director of Product Management at Veracode, explain the key takeaways from our flaw persistence findings.

Open Source Components Remain a Risk


In SOSS Vol. 9, we took another look at the security of open source software, and we found that enterprises are still struggling with the occurrence of vulnerable open source components within their software. For example, last year about 88% of Java applications had at least one vulnerability in a component, this year that figure dipped down only marginally to 87.5%.

READ THE REPORT

Industry View: Retail


In the State of Software Security Volume 9, Veracode’s scan data shows that retail organizations saw an improvement of nearly 12% in OWASP latest-scan pass rates over last year. What’s more, retail organizations are quick to fix their flaws – a great sign that the industry’s AppSec programs are continuing to mature.



Interested in learning more? Check out the infosheet here.

SOSS 2018 - Flaw Persistence by Industry

FinancialsGovernment/EducationHealthcareInfrastructure
Financials

Flaw Persistence by Industry: Financials

Flaw Persistence by Industry: Financials

Government/Education

Flaw Persistence by Industry: Government/Education

Flaw Persistence by Industry: Government/Education

Healthcare

Flaw Persistence by Industry: Healthcare

Flaw Persistence by Industry: Healthcare

Infrastructure

Flaw Persistence by Industry: Infrastructure

Flaw Persistence by Industry: Infrastructure

State of Software Security Volume 9

 Read the Report

SOSS 2018 - Flaw Persistence by Industry 2

ManufacturingRetailTechnology
Manufacturing

Flaw Persistence by Industry: Manufacturing

Flaw Persistence by Industry: Manufacturing

Retail

Flaw Persistence by Industry: Retail

Flaw Persistence by Industry: Retail

Technology

Flaw Persistence by Industry: Technology

Flaw Persistence by Industry: Technology

Advance Your Organization’s Application Security Program


The speed at which organizations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The faster organizations close vulnerabilities, the less risk software poses over time. But the sheer volume of open flaws within applications means that your development teams need to find effective ways to prioritize which flaws they fix first. While many organizations are doing a good job prioritizing by flaw severity, the data this year shows that they're not effectively considering other risk factors such as the criticality of the application or exploitability of flaws.

Veracode vulnerability remediation consulting can help your organization put together an efficient remediation plan to eliminate application vulnerabilities.

State of Software Security



READ THE REPORT
 

 

contact menu

Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.

*Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.