1.4M
scans analyzed for the report
State of Software Security X
The 2019 Veracode State of Software Security represents the 10th version of the report. Much like the application security industry, the report has evolved over the past 10 years to focus more on fix trends than on finding security defects. Like previous reports, SOSS volume 10 provides insights into the most common types of vulnerabilities, practices that lead to improved fix rates, and industry performance. The report found that the majority of flaws are remediated (56%) and that companies scanning more often carry about 5X less security debt than the lightest scanners. Why? Because these teams have automated security testing, have made security activities habitual, ensure that security issues stay top of mind, and end up fixing more flaws – suggesting DevSecOps practices improve overall software security.
Read the report to gain valuable perspective on the state of software security today.
State of Software Security Vol. 10 Key Findings
The 10th volume of the State of Software Security report found that 83% of applications have at least one vulnerability upon first scan. The report also found that companies prioritize fixing newly discovered vulnerabilities, creating a long tail of security debt for vulnerabilities that aren’t fixed in a timely manner, and that companies that test more frequently have higher fix rates. Together, these findings underscore the need for security testing throughout the software development lifecycle.
For more of the top takeaways from this year’s report, check out the infographic.
Security Debt
When companies test applications for vulnerabilities, they prioritize which security defects to fix based on a number of business objectives. While this is best practice, it can also create a backlog of vulnerabilities that are not fixed. Companies that create a dedicated process for addressing this security debt are most successful at lowering their security debt and thus their overall risk.
Watch the video to learn more about the current state of software security.
Key FindingsDevSecOps Effect
One way companies address security debt is through DevSecOps programs. The study found that companies tend to fix the most recently found vulnerabilities. More frequent scanning through a DevSecOps process allows companies to find security defects throughout the development lifecycle and results in more frequent fixing and lower security debt.
State of Software Security by Industry
Veracode’s State of Software Security (SOSS) Volume 10 focused on the topic of security debt, defined as the amount of unaddressed flaws that accumulate in software over time. The report revealed about half of application teams added to their security debt, a little over a quarter paid it down, and a quarter maintained a steady balance. As you might suspect, our analysis showed that debt profiles differed substantially among industries. Below you’ll find industry infosheets that summarize the factors that shape the debt profile exhibited in the chart on the right.
SOSS X - State of Software Security by Industry
Advance Your Organization’s Application Security Program
The speed at which organizations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The faster organizations close vulnerabilities, the less risk software poses over time. But the sheer volume of open flaws within applications means that your development teams need to find effective ways to prioritize which flaws they fix first. Security debt can build up over time. We find that companies that combine integrating security into the development process with a dedicated program for addressing security debt are the most successful at reducing their overall risk.
Veracode vulnerability remediation consulting can help your organization put together an efficient remediation plan to eliminate application vulnerabilities.
State of Software Security X
Cookie Use
We use cookies to collect information to help us personalise your experience and improve the functionality and performance of our site. By continuing to use our site [without first changing your browser setting], you consent to our use of cookies. For more information see our cookies policy.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.
*Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.