In 2011, Marc Andreessen wrote an article in the Wall Street Journal that included the now-famous phrase “software is eating the world.” Eight years on, that statement rings truer than ever. It’s not a stretch to say that software is eating the cybersecurity world as well. The fallout from not integrating security early in the development lifecycle has never been more apparent. 

To take a deeper look, Veracode has released the 10th edition of its State of Software Security report, which looks at where security is today versus where it was when the report started. 

The 10th edition has seen huge growth in testing, with 85,000 applications tested compared to only 1,591 in the first edition. The report also found an 11% increase in the number of applications with at least one flaw, and a 14% decrease in applications with high-severity flaws. 

The average time it takes to fix flaws today is 171 days, compared to 59 days 10 years ago. According to the company, the median remained 59 days, and this indicates that while most fixes happen quickly, there’s a long and growing tail of unresolved findings. 

In addition to the 10-year comparison, the report revealed how applications are doing with policy compliance security debt and flaw busting today. 

Those who read last year’s SOSS may remember a heavy emphasis on flaw persistence timeframes and what contributes to making them longer or shorter. This year, Veracode returns to that topic, but focuses on the accumulating security debt in applications caused by those persistent flaws and long fix timeframes. 

Key findings included:

  • 2 in 3 apps fail to pass initial tests based on the OWASP Top 10 and SANS 25 industry standards
  • 56% of software flaws eventually get fixed
  • 76% of high-severity flaws are addressed by developers
  • There is five-times less security debt in organizations that scan their code more than 300 times per year
  • C++ carries 3 to 5 times more unresolved flaws than .NET over a sample period
  • The median fix time of scanned flaws takes 68 days for apps scanned 12 or fewer times per year, and 19 days for apps scanned 260+ times per year. 

“It’s a near certainty that your applications have security flaws of various types. The likelihood of remediating those flaws in a comprehensive and timely manner is not nearly as certain. The ability to do this consistently — and thereby driving down security debt rather than racking it up — is what separates leading and lagging SDLC programs,” Veracode explained. 

Learn more here


Content provided by Veracode and SD Times