Veracode’s recent State of Software Security report found five key takeaways that every security professional should know Credit: Veracode There’s a lot to unpack in our most recent State of Software Security (SOSS) report, including some then vs. now comparisons, a look at the most popular vulnerabilities, and a deep dive into security debt. Here are the five takeaways we consider most noteworthy for security professionals:Apps are insecureEighty-three percent of applications have at least one flaw in their initial scan. And the types of flaws that were plaguing code a decade ago are still wreaking havoc today: information leakage and cryptographic issues.We need to do a better job helping developers create secure code. Approximately 68 percent of developers and IT pros say their organizations don’t provide them adequate training in application security.Security debt is a significant problemWe do see improvement in fix rates. Half of applications showed a net reduction in flaws over the sample time frame. Another 20 percent either had no flaws or showed no change. This means 70 percent of development teams are keeping pace or pulling ahead in the flaw-busting race. However, we also found that teams are prioritizing newly found security flaws over older flaws, leading to security debt piling up.We’re doing a better job tackling high-severity flaws, but not the most exploitable onesDevelopers are doing a better job fixing what they find, and they are prioritizing both the most recently discovered, and the most severe. But, we found the security debt that has accumulated across organizations is comprised primarily of Cross-Site Scripting, with Injection, Authentication, and Misconfiguration flaws making up sizable portions as well. This is noteworthy because Injection is the second most prevalent flaw category in reported exploits.When you scan more, you secure moreThose that scanned the most, and the most regularly, had dramatically better fix rates and less security debt. In fact, those with the highest scan frequency (260+ scans per year) had 5x less security debt, and a 72 percent reduction in median time to remediation.There are some differences in how organizations in different industries are securing softwareOrganizations in the retail sector are doing the best job at keeping security debt at bay, while those in the government and education space are doing the worst. The infrastructure industry is fixing flaws almost 4X faster than any other industry, and 13X faster than the median time to remediation for healthcare. The financial industry has an impressive fix rate, but one of the slowest median times to remediation. Related content brandpost Sponsored by Veracode Veracode Static Analysis: The Right Scan, At The Right Time, In The Right Place Veracode Static Analysis: Meeting the Modern AppSec Challenge By Veracode May 14, 2020 1 min Application Security Security brandpost Sponsored by Veracode State of Software Security, Volume 10 10 Years of Software Security: Looking Back, Looking Ahead By Veracode May 07, 2020 1 min Application Security Security brandpost Sponsored by Veracode AppSec Best Practices vs. Practicality — What to Strive for and Where to Start AppSec Best Practices vs. Practicality — What to Strive for and Where to Start By Veracode May 05, 2020 1 min Application Security Security brandpost Sponsored by Veracode Veracode’s New Scan Type Delivers Results at DevSecOps Speed Veracode’s new Static Analysis solution will integrate security testing into every stage of the development pipeline By Veracode Apr 30, 2020 2 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe