Half of application security flaws remain open six months after discovery

Veracode has introduced the State of Software Security (SOSS) Volume 11 revealing the majority of applications contain at least one security flaw and fixing those flaws typically takes months. This year’s analysis of 130,000 applications found that it takes about six months for teams to close half the security flaws they find.

The report also uncovered some best practices to significantly improve these fix rates. Veracode found there are some factors that teams have very little control over, and those that they have a lot of control over, categorizing them as “nature vs. nurture”. Within the “nature” side Veracode considered factors such as the size of the application and organisation as well as security debt, while the “nurture” side accounts for actions such as scanning frequency, cadence, and scanning via APIs.

Fixing Security Flaws: Nature or Nurture?

SOSS 11 revealed that addressing issues with modern DevSecOps practises results in higher flaw remediation rates. For example, using multiple application security scan types, working within smaller or more modern apps, and embedding security testing into the pipeline via an API all make a difference in reducing time to fix security defects, even in apps with a less than ideal “nature.” 

“The goal of software security isn’t to write applications perfectly the first time, but to find and fix the flaws in a comprehensive and timely manner,” said Chris Eng, Chief Research Officer at Veracode. “Even when faced with the most challenging environments, developers can take specific actions to improve the overall security of the application with the right training and tools.”

Other key findings of SOSS 11 include:

• Flawed applications are the norm: 76% of applications have at least one security flaw, but only 24% have high-severity flaws. This is a good sign that most applications do not have critical issues that pose serious risks to the application. Frequent scanning can reduce the time it takes to close half of observed findings by more than three weeks.
• Open source flaws on the rise: while 70% of applications inherit at least one security flaw from their open source libraries, SOSS 11 also found that 30% of applications have more flaws in their open source libraries than in the code written in-house. The key lesson is that software security comes from getting the whole picture, which includes identifying and tracking the third-party code used in applications.
• Multiple scan types prove efficacy of DevSecOps: teams using a combination of scan types including static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA) improve fix rates. Those using SAST and DAST together fix half of flaws 24 days faster.
• Automation matters: those who automate security testing in the SDLC address half of the flaws 17.5 days faster than those that scan in a less automated fashion.
• Paying down security debt is critical: the link between frequently scanning applications and faster remediation times has been established in Veracode’s prior State of Software Security research. This year’s report also found that reducing security debt – fixing the backlog of known flaws – lowers overall risk. SOSS 11 found that older applications with high flaw density experience much slower remediation times, adding an average of 63 days to close half of flaws.