scans analyzed for the report
Veracode presents volume 8 of the State of Software Security (SOSS) report, our comprehensive review of application testing data. This year's report is bigger and better than ever. SOSS offers you a penetrating look at the results from 400,000 application scans, analyzed for trends in vulnerability prevalence, remediation, industry performance, and more. For example, organizations improved their OWASP pass rate by 13% after their first scan.
Read the report to gain valuable perspective on the state of software security today.
Energy, utilities, and transportation represent some of the most critical industries, keeping the lights on and the economy moving. But less than a third of applications in infrastructure passed OWASP policy on first scan.
Applications developed by government organizations are the least secure of all industry groupings, measured by pass rate against OWASP Top 10 policy. Government applications also had the highest flaw prevalence of any industry group for cross-site scripting, SQL injection, credentials management, and cryptographic issues.
Financial services organizations showed signs of having some of the most mature application security programs. More than a third of applications were scanned at least monthly (12 times per year on average).
Healthcare organizations hold some of the most sensitive personal data, so it’s encouraging to see this industry made strides in improving application security in 2017.
State of Software Security 2017: In-depth analysis of AppSec trendsRead the Report
Manufacturing and aerospace organizations had the highest OWASP pass rate on latest scan (30.5%) of any of our industry groupings. This could indicate that companies in this sector have application security programs that are more mature than other industries. This industry sector also had the lowest proportion of applications undergoing their first assessment (about 39%).
Retail and hospitality organizations ranked second in the rate of improvement in OWASP pass rate compared to 2016, seeing a 9% improvement. This is a positive indicator of maturing AppSec programs in an industry that has been plagued by data breaches in recent years.
A large proportion of tech companies exhibited DevOps behavior, with 2% of applications tested at least daily. Technology organizations had dramatically lower prevalence of major vulnerabilities such as cross-site scripting (8.6%), SQL injection (6.6%), cryptographic issues (16%), and credentials management (10.6%).
Developer training has an essential role in reducing flaws. Veracode scan data showed that eLearning improved developer fix rates by 19% and remediation coaching improved fix rates by 88%.
Watch the video to hear CA Veracode VP of Engineering Maria Loughlin explain what security teams can do to boost developers’ secure coding skills.
In 2017, applications scanned 12 or more times per year (or, monthly on average) rose in prevalence, while the average (mean) number of scans per application increased from 7.9 to 10.6.
In this video, CA Veracode Senior Director of Product Management Tim Jarrett, shares insights about what development organizations need to do to build security into DevOps processes.
We examined the security of open source software components as a part of our analysis of Java applications. 88% of Java applications had at least one component-based vulnerability.
Chris Wysopal, Veracode co-founder and CA Veracode CTO, explains in this video how open source components create opportunities and risks for organizations, and shares advice for minimizing the impacts of open source vulnerabilities.
The State of Software Security report provides a richness and scope of application scanning data unparalleled in the AppSec industry. This year’s report looks back over several years’ worth of data, allowing us to plot trends and identify best practices. We found that long-running programs perform best. Programs that have been around for 10 years had a 35% better OWASP pass rate than those in place for a year or less.
Use the data to draw your own lessons to improve your application security program – whether you’re on a path to greater program maturity, or taking your first step.