Veracode have released the findings from their annual State of Software Security Report (SoSS). The report presents metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments, all of which were performed over the last 18 months.
Is your digital infrastructure at risk?
The report revealed that the continued and persistent use of components in software development is creating systemic risk in our digital infrastructure. However, the report also found that companies achieve accelerated benefits when their application security programs reach maturity. These findings indicate that the growing trend of focusing on digital risk, at the application layer, and building security into DevOps processes can yield great results for organisations in reducing risk without slowing down software development.
Are you becoming more vulnerable to cyber attacks?
“The prevalent use of open source components in software development is creating unmanaged, systemic risks across companies and industries,” said Brian Fitzgerald, CMO, Veracode. “Today, a cybercriminal can focus on a single vulnerability in one component to exploit millions of applications. Software components are used by every industry and for software of all kinds, and given our dependence on applications, the ease at millions of applications can be breached has the potential to create havoc in our digital infrastructure and economy.”
Challenges in security and the need for test
60 percent of applications failed basic security requirements upon the first scan. However, the report found that when companies follow best practices and implement programs with consistent policies and practices for secure development, they are able to remediate vulnerabilities at a higher rate. The top quartile of companies were able to fix almost 70 percent more vulnerabilities than the average organisation, and developers who tested unofficially, using Developer Sandbox scanning, improved policy-based vulnerability fix rates by roughly two-times.
“The ability to frequently test applications is going to be crucial to the success of secure development initiatives at companies with continuous development and deployment models like those found in DevOps environments,” said Chris Wysopal, co-founder and CTO, Veracode. “Our platform data shows that more companies are starting to test applications multiple times throughout the development lifecycle. The average number of security tests per app was seven, and some apps were scanned 700-800 times in an 18-month period. We are encouraged by this information because it suggests companies are more deeply embedding security into their software development processes.”
Quick key findings from the SoSS report:
- Prevalent use of open-source and third party components creating unmanaged risk: Approximately 97 percent of Java applications contained at least one component with a known vulnerability.
- Challenges still exist: 60% of applications fail security policies upon first scan
- Best practices emerge, but not pervasive: The top quartile of companies fix almost 70% more vulnerabilities than the average company
- Giving developers more power improves security: Developers using sandbox technology to scan apps prior to assurance testing show 2x improvement in fix rates
- Training matters: Best practices like remediation coaching and eLearning can improve vulnerability fix rates by as much as 6x
- Web applications are still fragile: More than half of web applications were affected by misconfigured secure communications or other security defenses
- DevOps is taking hold: Some applications being scanned multiple times per day, average security tests per app is seven, with some apps being scanned 600-700 times
Edited from press release by Jordan Platt