Application security: what’s working

There are a lot of ways that companies are missing the mark on AppSec, but there are a lot of ways they aren’t, and we can learn a lot from those that are doing it right.

We at Veracode have been in the application security business, and only the application security business, for more than 10 years. In that time, we’ve scanned almost 6 trillion lines of code, and helped our customers fix more than 36 million security-related defects. Between the experiences of our teams helping tens of thousands of customers with their AppSec programs, and the raw data from our SaaS-based platform, we have a wealth of intelligence about how organizations are tackling application security, and where they are seeing success. Every year, we package up this intelligence in our annual State of Software Security report. We just published our 2017 edition, and a notable inclusion this year is data about what’s working.

There has been a lot written over the years, including by us, about the lack of progress in application security – where organizations are falling short, how vulnerable they are, etc. But what about the success stories? What are those who are moving the needle on AppSec doing differently than those who aren’t? There are a lot of ways that companies are missing the mark on AppSec, but there are a lot of ways they aren’t, and we can learn a lot from those that are doing it right. Here’s what we found:

Simply put: Application security (AppSec) testing makes a difference

The gap between doing nothing and just putting an application testing program in place is significant. In 2017, OWASP pass rates improved by 13 percent from first application scan to last scan. This is further backed up by declining prevalence of the top 10 vulnerabilities in rescanned applications.

And the more testing you do, the better the results

This year’s data found that organizations that scan their applications more frequently during development fix more flaws than those doing only security-initiated scans closer to production. Specifically, the difference between those organizations that use sandbox testing (developer-initiated scans early in the code development process) compared to those that only do policy scans (security-initiated scans before the release goes to production) translates to a 48.2 percent better fix rate when comparing flaw density changes from first scan to latest scan.

Developer training has an essential role in reducing flaws

Effective application security requires both locating security-related defects, and fixing them. But developers simply aren’t equipped with the knowledge or skills they need to fix these flaws. Veracode recently sponsored the 2017 DevSecOps Global Skills Survey from, and found that less than one in four developers or other IT pros were required to take a single college course on security. Meantime, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security. The good news is that getting developers the security training they need makes a big difference. Our data this year revealed that eLearning improved developer fix rates by 19 percent; even better, remediation coaching improved fix rates by a whopping 88 percent.

Long-running programs see the best results

Our 2017 data set shows that, although progress can be incremental in AppSec, those who are in it for the long haul are rewarded for their efforts. Organizations make big gains in securing their applications when they stick with the program, with the most mature application security programs having a 35 percent better all-time OWASP policy pass rate than those just starting out.

We’ve got a long way to go in shoring up our code against cyberattackers. Our data this year also shows that the same security flaws continue to show up in code, and 77 percent of the code we scanned in 2017 had at least one vulnerability. But we’re also starting to see clear trends regarding what works, and this will increasingly give organizations an AppSec starting point and roadmap and, hopefully, decrease that 77 percent stat in our future State of Software Security reports.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful cybersecurity companies