Learn how AppSec has evolved and where it’s headed Credit: Veracode In a recent podcast with IDG, Chris Wysopal, Veracode Chief Technology Officer, speaks to the evolution of application security (AppSec) over the past ten years. In his evaluation, Wysopal leverages findings from Veracode’s annual State of Software Security (SOSS) reports. The first volume of the SOSS report, published in March of 2010, focuses on explaining and advocating for an application security (AppSec) program. By the tenth volume – the most recent addition – the focus shifts to building out an AppSec program.The gradual transition from AppSec awareness to AppSec program planning, indicates a clear understanding of the importance of securing applications. In fact, there has been a 50 percent increase in the number of applications scanned for vulnerabilities. But despite the significant increase in scanned applications, vulnerabilities are growing. The only vulnerabilities that have seen a decline, are those considered to be “high-severity.” This finding points to a new trend … more applications are being scanned, but critical flaws are being prioritized when it comes to remediation. There are two ways of looking at this trend. On the one hand, if an organization is new to AppSec, it is practical and advisable to fix high-severity flaws first. On the other hand, AppSec has been around for quite some time, so organizations need to work on maturing their AppSec programs. A mature, best-practice AppSec program does not favor certain applications or flaws, it scans all applications and remediates all flaws.Making security a standard way of building software aligns with DevSecOps, in which security is organically woven into development and operations. Moving to DevSecOps requires organizations to break down silos and establish a working relationship between development and security teams. Once relationships are formed and security and development teams start to understand each other’s roles, a “security champions” program can be implemented. Security champions are developers who agree to learn more about security and advocate for it in the build process.Better yet, Wysopal proposes that colleges and universities start incorporating security into computer engineering curriculums. By instilling the need for application security into the minds of future developers, DevSecOps will become commonplace.To learn more about AppSec’s progression, or to hear Chris Wysopal’s view on the future state of AppSec, download our podcast, AppSec Grows Up: A Hard Look at Software Security. Related content brandpost Sponsored by Veracode Veracode Static Analysis: The Right Scan, At The Right Time, In The Right Place Veracode Static Analysis: Meeting the Modern AppSec Challenge By Veracode May 14, 2020 1 min Application Security Security brandpost Sponsored by Veracode State of Software Security, Volume 10 10 Years of Software Security: Looking Back, Looking Ahead By Veracode May 07, 2020 1 min Application Security Security brandpost Sponsored by Veracode AppSec Best Practices vs. Practicality — What to Strive for and Where to Start AppSec Best Practices vs. Practicality — What to Strive for and Where to Start By Veracode May 05, 2020 1 min Application Security Security brandpost Sponsored by Veracode Veracode’s New Scan Type Delivers Results at DevSecOps Speed Veracode’s new Static Analysis solution will integrate security testing into every stage of the development pipeline By Veracode Apr 30, 2020 2 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe