State of Software Security X

The 2019 Veracode State of Software Security represents the 10th version of the report. Much like the application security industry, the report has evolved over the past 10 years to focus more on fix trends than on finding security defects. Like previous reports, SOSS volume 10 provides insights into the most common types of vulnerabilities, practices that lead to improved fix rates, and industry performance. The report found that the majority of flaws are remediated (56%) and that companies scanning more often carry about 5X less security debt than the lightest scanners. Why? Because these teams have automated security testing, have made security activities habitual, ensure that security issues stay top of mind, and end up fixing more flaws – suggesting DevSecOps practices improve overall software security.

Read the report to gain valuable perspective on the state of software security today.

SOSS X - Stat Card Set

 

1.4M

scans analyzed for the report

 

85,000

applications scanned over 12 months

 

83%

of apps have one security flaw on initial scan

 

2 in 3 apps

fail to pass tests based on OWASP Top 10 and SANS 25

State of Software Security Vol. 10 Key Findings



The 10th volume of the State of Software Security report found that 83% of applications have at least one vulnerability upon first scan. The report also found that companies prioritize fixing newly discovered vulnerabilities, creating a long tail of security debt for vulnerabilities that aren’t fixed in a timely manner, and that companies that test more frequently have higher fix rates. Together, these findings underscore the need for security testing throughout the software development lifecycle.

For more of the top takeaways from this year’s report, check out the infographic.

Security Debt



When companies test applications for vulnerabilities, they prioritize which security defects to fix based on a number of business objectives. While this is best practice, it can also create a backlog of vulnerabilities that are not fixed. Companies that create a dedicated process for addressing this security debt are most successful at lowering their security debt and thus their overall risk.

Watch the video to learn more about the current state of software security.

Key Findings

DevSecOps Effect



One way companies address security debt is through DevSecOps programs. The study found that companies tend to fix the most recently found vulnerabilities. More frequent scanning through a DevSecOps process allows companies to find security defects throughout the development lifecycle and results in more frequent fixing and lower security debt.

Advance Your Organization’s Application Security Program



The speed at which organizations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The faster organizations close vulnerabilities, the less risk software poses over time. But the sheer volume of open flaws within applications means that your development teams need to find effective ways to prioritize which flaws they fix first. Security debt can build up over time. We find that companies that combine integrating security into the development process with a dedicated program for addressing security debt are the most successful at reducing their overall risk.

Veracode vulnerability remediation consulting can help your organization put together an efficient remediation plan to eliminate application vulnerabilities.

State of Software Security X

Read the Report

 

 

contact menu