Intelligence security small

Software Security Making Progress, Report Finds

In the recently published “2018 State of Software Security,” Veracode reported that, although software security across all industries, including retail and financial services, is gradually getting better, there is still plenty of room for improvement.

The report provides analysis of application testing data from more than 700,000 application scans and highlights trends in vulnerability prevalence, remediation, industry performance, and, for the first time, flaw persistence.

Veracode reported that adopting a DevSecOps (development, security, and operations) framework facilitates significant security improvements, noting that organizations with established DevSecOps programs outperformed their peers in how quickly they addressed flaws.

“The DevSecOps mentality tends to incorporate more frequent security scans, incremental fixes, and faster rates of flaw closures into the software development lifecycle,” said Veracode Vice President of Research Chris Eng. “These incremental improvements amount over time to a significant advantage in competitiveness in the market and a huge drop in risk associated with vulnerabilities. This year’s analysis shows a very strong correlation between high rates of security scanning and lower long-term application risks, which we believe present a significant piece of evidence for the efficacy of DevSecOps.”

In addition, although organizations continue to contend with a massive volume of open flaws, they are getting better at closing newly discovered vulnerabilities, Veracode reported. Organizations closed 69 percent of flaws discovered, an increase of nearly 12 percent since the previous report.

Despite this progress, the number of vulnerable applications remains high, and businesses continue to face significant threats from open source components. Organization scan results indicated one in three applications were vulnerable to attack through high or very high severity flaws, more than 85 percent of applications contained at least one vulnerability following the first scan, and more than 13 percent of applications contained at least one very high severity flaw.

In addition, Veracode examined fix rates across 2 trillion lines of code and reported that companies continued to experience extended application risk exposure due to persistent flaws. Despite improvements in the numbers of flaws closed, more than 70 percent of all flaws remained one month after discovery and nearly 55 percent remained three months after discovery. More concerning, 25 percent of high and very high severity flaws were not addressed within 290 days of discovery.

“In many ways, our deeper look into the data confirmed what many industry veterans recognize intuitively—it takes time to fix security flaws,” Eng said. “Contrary to what some security staffers might believe, developers simply can’t wave a magic wand over the portfolio to fix the majority of flaws in an instant, or even in a week. On top of that, there are other factors at play, including quality assessment, product release cycles, and other exigencies of delivering software to the real world.”

Click here to read more.