Flaws in software development don't occur at a steady rate; rather they tend to congregate at different points in the DevSecOps lifecycle. That's one of the key findings of the Veracode State of Software Security 2023 report.
Veracode is an application security company that builds tools and services to help both developers and security professionals.
The report found that there is no direct correlation between app growth and flaw introduction. The size of applications increases by approximately 40% annually. However, Veracode research shows that the rate at which new security vulnerabilities are introduced into the software drops significantly after the first scan.
After an initial scan of a new development, 32% of applications are found to have at least one flaw. After which, there is a period of at least 1.5 years when applications do not take on any new flaws at all. After this point, however, the number of new flaws introduced begins to climb again to approximately 35% at the five-year mark.
The report also examined the fragility of open source software, identifying that 10% of repositories had not had any changes to their source code in up to six years.
While there are no shortage of flaws, there are also proven steps that the research identifies that can help development and security teams, including:
- Dealing with technical debt as early as possible
- Prioritizing automation and training to identify likely vulnerabilities
- Establishing an application lifecycle management protocol
Software vulnerabilities are increasingly opening a door for attackers, Chris Eng, chief research officer at Veracode, told ITPro Today. "Security and development teams should tackle technical or security debt as early and quickly as possible and continue scanning frequently with a variety of tools to find and fix flaws that may have been introduced or built up over time."
Veracode State of Software Security Report: Older Apps Have More Flaws
As to why flaws begin to grow in applications at the five-year mark, there are a number of possible explanations.
It could be related to staff changes over time, Eng said. For example, as developers leave organizations, knowledge may not be transferred to others and so may be lost. New staff may also be unfamiliar with previous applications, or architectural or design choices, all of which could open the door to flaws as an application moves further from initiation or launch.
The study found that developer training, use of multiple scan types — including scanning via API — and scan frequency can reduce the probability of flaws being introduced. For example, Eng said that skipping months between scans correlates with an increase in the chance of finding flaws when a scan is eventually run. Furthermore, the top flaws in apps vary by testing type, highlighting the importance of using multiple scan types to ensure hard-to-identify flaws aren't missed, he said.
How to Improve DevSecOps and Application Security
According to Veracode, there are three key areas that developers can work on to improve application security:
- Find and fix flaws faster. Quite simply, the remediation curve has to fall early and fall faster. "Whether increasing application complexity from years of steady growth or diminishing focus on production applications over time, this familiar pattern of an upwards slant is clear," Eng said.
- Prioritize automation and developer training. Veracode's findings show that scan cadence, scanning via API, and developer security training are beneficial for both understanding which flaws will be introduced as well as remediation, Eng said. This year's report found that completion of 10 security labs training led to a 1.8% reduction in the probability that new flaws will be introduced to an application and a 12.1% reduction in the number of flaws introduced when flaws are introduced in the application.
- Have the hard conversations about who owns application lifecycle management. Eng said that the data in the report on flaw accumulation over time shows that it is something that needs to be considered to deliver a future-ready program.
"The predictable patterns can be valuable for building smart and mature application security programs," he said.
About the authorSean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He consults to industry and media organizations on technology issues.