Veracode has introduced the State of Software Security (SOSS) Volume 11 revealing the majority of applications contain at least one security flaw and fixing those flaws typically takes months. This year’s analysis of 130,000 applications found that it takes about six months for teams to close half the security flaws they find.
The report also uncovered some best practices to significantly improve these fix rates. Veracode found there are some factors that teams have very little control over, and those that they have a lot of control over, categorizing them as “nature vs. nurture”. Within the “nature” side Veracode considered factors such as the size of the application and organisation as well as security debt, while the “nurture” side accounts for actions such as scanning frequency, cadence, and scanning via APIs.
Fixing Security Flaws: Nature or Nurture?
SOSS 11 revealed that addressing issues with modern DevSecOps practises results in higher flaw remediation rates. For example, using multiple application security scan types, working within smaller or more modern apps, and embedding security testing into the pipeline via an API all make a difference in reducing time to fix security defects, even in apps with a less than ideal “nature.”
“The goal of software security isn’t to write applications perfectly the first time, but to find and fix the flaws in a comprehensive and timely manner,” said Chris Eng, Chief Research Officer at Veracode. “Even when faced with the most challenging environments, developers can take specific actions to improve the overall security of the application with the right training and tools.”
Other key findings of SOSS 11 include: