scans analyzed for the report
Veracode presents volume 9 of the State of Software Security (SOSS) report, our comprehensive review of application testing data. This year’s SOSS report includes extensive analysis of the results from more than 700,000 application scans, analyzed for trends in vulnerability prevalence, remediation, industry performance, and more. We’ve also taken it one step further by introducing flaw persistence, which allows us to provide better visibility into the factors that go into fixing flaws. This year’s research shows that more than 70% of all flaws remain one month after discovery, and nearly 55% remain three months after discovery. Plus, we share evidence that DevSecOps unicorns do exist, and they’re fixing flaws 11.5x faster than the typical organization.
Read the report to gain valuable perspective on the state of software security today.
When it comes to the overall state of software security, there is still some room for improvement in AppSec. The rate of OWASP compliance declined for the third year in a row, with OWASP Top 10 initial scan pass rates only reaching 22.5%. What’s more, over 85% of all applications have at least one vulnerability in them; over 13% of applications have at least one very high severity flaw.
For more of the top takeaways from this year’s report, check out the infographic.
There is a strong correlation between how many times an organization scans and how quickly they address their vulnerabilities. DevOps or Agile-driven development teams are scanning more often, and as a result, they are making incremental improvements every time they test. As you can see in the figure to the right, once organizations hit 300 or more scans per year – the true territory of DevSecOps unicorns – they are seeing the fix velocity going into overdrive.
This year, we partnered with the data science team at Cyentia Institute to bring you the first-ever look at flaw persistence. This helps us to look at vulnerability fix behavior, and break down how different variables like flaw type, severity, app criticality, and rate of scanning impact the fix velocity and, conversely, the persistence of flaws once they've been discovered.
Watch the video to hear Tim Jarrett, Sr. Director of Product Management at Veracode, explain the key takeaways from our flaw persistence findings.
In SOSS Vol. 9, we took another look at the security of open source software, and we found that enterprises are still struggling with the occurrence of vulnerable open source components within their software. For example, last year about 88% of Java applications had at least one vulnerability in a component, this year that figure dipped down only marginally to 87.5%.READ THE REPORT
In the State of Software Security Volume 9, Veracode’s scan data shows that retail organizations saw an improvement of nearly 12% in OWASP latest-scan pass rates over last year. What’s more, retail organizations are quick to fix their flaws – a great sign that the industry’s AppSec programs are continuing to mature.
Interested in learning more? Check out the infosheet here.
The speed at which organizations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The faster organizations close vulnerabilities, the less risk software poses over time. But the sheer volume of open flaws within applications means that your development teams need to find effective ways to prioritize which flaws they fix first. While many organizations are doing a good job prioritizing by flaw severity, the data this year shows that they're not effectively considering other risk factors such as the criticality of the application or exploitability of flaws.
Veracode vulnerability remediation consulting can help your organization put together an efficient remediation plan to eliminate application vulnerabilities.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.
*Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.