State Of Software Security

SOSS Page - Stat Card Set



scans analyzed for the report


250 Billion

lines of code scanned over 12 months


12.8 Million

flaws found over 12 months


10.9 Million

flaws fixed over 12 months

What Does SOSS Mean For You?

Veracode presents volume 8 of the State of Software Security (SOSS) report, our comprehensive review of application testing data. This year's report is bigger and better than ever. SOSS offers you a penetrating look at the results from 400,000 application scans, analyzed for trends in vulnerability prevalence, remediation, industry performance, and more. For example, organizations improved their OWASP pass rate by 13% after their first scan.

Read the report to gain valuable perspective on the state of software security today.


Top Takeaways for Developers

Developers' skills, security knowledge, and attitudes about security determine the quality of the code they write. Our scanning data shows that when developers get the right security tools and training, they're getting the job done. The State of Software Security Developer Guide, a special supplement to the SOSS report, provides data-driven insights especially for the developer community.

Download Now

<script type="text/javascript" id="vidyard_embed_code_iwHkwCcQ51ayLudg1wFhLz" src="//"></script>

Watch Video

SOSS Page - Industry Analysis 1 - Persona Set


Industry Analysis: Infrastructure

InfrastructureEnergy, utilities, and transportation represent some of the most critical industries, keeping the lights on and the economy moving. But less than a third of applications in infrastructure passed OWASP policy on first scan.

Download Infosheet

Industry Analysis: Government

GovernmentApplications developed by government organizations are the least secure of all industry groupings, measured by pass rate against OWASP Top 10 policy. Government applications also had the highest flaw prevalence of any industry group for cross-site scripting, SQL injection, credentials management, and cryptographic issues.

Download Infosheet
 Financial Services

Industry Analysis: Financial Services

Financial ServicesFinancial services organizations showed signs of having some of the most mature application security programs. More than a third of applications were scanned at least monthly (12 times per year on average).

Download Infosheet

Industry Analysis: Healthcare

HealthcareHealthcare organizations hold some of the most sensitive personal data, so it’s encouraging to see this industry made strides in improving application security in 2017.

Download Infosheet

State of Software Security 2017: In-depth analysis of AppSec trends

Read the Report

SOSS Page - Industry Analysis 2 - Persona Set


Industry Analysis: Manufacturing

ManufacturingManufacturing and aerospace organizations had the highest OWASP pass rate on latest scan (30.5%) of any of our industry groupings. This could indicate that companies in this sector have application security programs that are more mature than other industries. This industry sector also had the lowest proportion of applications undergoing their first assessment (about 39%).

Download Infosheet
 Retail & Hospitality

Industry Analysis: Retail & Hospitality

Retail & HospitalityRetail and hospitality organizations ranked second in the rate of improvement in OWASP pass rate compared to 2016, seeing a 9% improvement. This is a positive indicator of maturing AppSec programs in an industry that has been plagued by data breaches in recent years.

Download Infosheet

Industry Analysis: Technology

TechA large proportion of tech companies exhibited DevOps behavior, with 2% of applications tested at least daily. Technology organizations had dramatically lower prevalence of major vulnerabilities such as cross-site scripting (8.6%), SQL injection (6.6%), cryptographic issues (16%), and credentials management (10.6%).

Download Infosheet

Developer Skills Gap

Developer training has an essential role in reducing flaws. Veracode scan data showed that eLearning improved developer fix rates by 19% and remediation coaching improved fix rates by 88%.

Watch the video to hear Veracode VP of Engineering Maria Loughlin explain what security teams can do to boost developers’ secure coding skills.

The Devops Effect

In 2017, applications scanned 12 or more times per year (or, monthly on average) rose in prevalence, while the average (mean) number of scans per application increased from 7.9 to 10.6.

In this video, Veracode Senior Director of Product Management Tim Jarrett, shares insights about what development organizations need to do to build security into DevOps processes.

How Components Build Risk Into Apps

We examined the security of open source software components as a part of our analysis of Java applications. 88% of Java applications had at least one component-based vulnerability.

Chris Wysopal, Veracode co-founder and Veracode CTO, explains in this video how open source components create opportunities and risks for organizations, and shares advice for minimizing the impacts of open source vulnerabilities.

Insights Into Your Own AppSec Program

The State of Software Security report provides a richness and scope of application scanning data unparalleled in the AppSec industry. This year’s report looks back over several years’ worth of data, allowing us to plot trends and identify best practices. We found that long-running programs perform best. Programs that have been around for 10 years had a 35% better OWASP pass rate than those in place for a year or less.

Use the data to draw your own lessons to improve your application security program – whether you’re on a path to greater program maturity, or taking your first step.


State of Software Security

Read the Report


contact menu