State of Software Security: Top 5 Takeaways for Security Professionals

Veracode’s recent State of Software Security report found five key takeaways that every security professional should know

soss top 5 takeaways
Veracode

There’s a lot to unpack in our most recent State of Software Security (SOSS) report, including some then vs. now comparisons, a look at the most popular vulnerabilities, and a deep dive into security debt. Here are the five takeaways we consider most noteworthy for security professionals:

  1. Apps are insecure

Eighty-three percent of applications have at least one flaw in their initial scan. And the types of flaws that were plaguing code a decade ago are still wreaking havoc today: information leakage and cryptographic issues.

We need to do a better job helping developers create secure code. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security.

  1. Security debt is a significant problem

We do see improvement in fix rates. Half of applications showed a net reduction in flaws over the sample time frame. Another 20 percent either had no flaws or showed no change. This means 70 percent of development teams are keeping pace or pulling ahead in the flaw-busting race. However, we also found that teams are prioritizing newly found security flaws over older flaws, leading to security debt piling up.

  1. We’re doing a better job tackling high-severity flaws, but not the most exploitable ones

Developers are doing a better job fixing what they find, and they are prioritizing both the most recently discovered, and the most severe. But, we found the security debt that has accumulated across organizations is comprised primarily of Cross-Site Scripting, with Injection, Authentication, and Misconfiguration flaws making up sizable portions as well. This is noteworthy because Injection is the second most prevalent flaw category in reported exploits.

  1. When you scan more, you secure more

Those that scanned the most, and the most regularly, had dramatically better fix rates and less security debt. In fact, those with the highest scan frequency (260+ scans per year) had 5x less security debt, and a 72 percent reduction in median time to remediation.

  1. There are some differences in how organizations in different industries are securing software

Organizations in the retail sector are doing the best job at keeping security debt at bay, while those in the government and education space are doing the worst. The infrastructure industry is fixing flaws almost 4X faster than any other industry, and 13X faster than the median time to remediation for healthcare. The financial industry has an impressive fix rate, but one of the slowest median times to remediation.

Related:

Copyright © 2020 IDG Communications, Inc.