Skip navigation
Menu
News
DevSecOps logo Alamy
IT Operations and Management>DevSecOps

Veracode State of Software Security Report Identifies How to Improve DevSecOps

According to Veracode's State of Software Security 2023 report, there are specific steps organizations can take to minimize the presence of security vulnerabilities as apps continue to evolve.

Flaws in software development don't occur at a steady rate; rather they tend to congregate at different points in the DevSecOps lifecycle. That's one of the key findings of the Veracode State of Software Security 2023 report.

Veracode is an application security company that builds tools and services to help both developers and security professionals.

The report found that there is no direct correlation between app growth and flaw introduction. The size of applications increases by approximately 40% annually. However, Veracode research shows that the rate at which new security vulnerabilities are introduced into the software drops significantly after the first scan.

After an initial scan of a new development, 32% of applications are found to have at least one flaw. After which, there is a period of at least 1.5 years when applications do not take on any new flaws at all. After this point, however, the number of new flaws introduced begins to climb again to approximately 35% at the five-year mark.

The report also examined the fragility of open source software, identifying that 10% of repositories had not had any changes to their source code in up to six years.

While there are no shortage of flaws, there are also proven steps that the research identifies that can help development and security teams, including:

  • Dealing with technical debt as early as possible
  • Prioritizing automation and training to identify likely vulnerabilities
  • Establishing an application lifecycle management protocol

Related: The DevSecOps Model: What You Need To Know

Software vulnerabilities are increasingly opening a door for attackers, Chris Eng, chief research officer at Veracode, told ITPro Today. "Security and development teams should tackle technical or security debt as early and quickly as possible and continue scanning frequently with a variety of tools to find and fix flaws that may have been introduced or built up over time."

Veracode State of Software Security Report: Older Apps Have More Flaws

As to why flaws begin to grow in applications at the five-year mark, there are a number of possible explanations.

It could be related to staff changes over time, Eng said. For example, as developers leave organizations, knowledge may not be transferred to others and so may be lost. New staff may also be unfamiliar with previous applications, or architectural or design choices, all of which could open the door to flaws as an application moves further from initiation or launch.

Veracodenew flaws chart

The study found that developer training, use of multiple scan types — including scanning via API — and scan frequency can reduce the probability of flaws being introduced. For example, Eng said that skipping months between scans correlates with an increase in the chance of finding flaws when a scan is eventually run. Furthermore, the top flaws in apps vary by testing type, highlighting the importance of using multiple scan types to ensure hard-to-identify flaws aren't missed, he said.

How to Improve DevSecOps and Application Security

According to Veracode, there are three key areas that developers can work on to improve application security:

  1. Find and fix flaws faster. Quite simply, the remediation curve has to fall early and fall faster. "Whether increasing application complexity from years of steady growth or diminishing focus on production applications over time, this familiar pattern of an upwards slant is clear," Eng said.
  2. Prioritize automation and developer training. Veracode's findings show that scan cadence, scanning via API, and developer security training are beneficial for both understanding which flaws will be introduced as well as remediation, Eng said. This year's report found that completion of 10 security labs training led to a 1.8% reduction in the probability that new flaws will be introduced to an application and a 12.1% reduction in the number of flaws introduced when flaws are introduced in the application.
  3. Have the hard conversations about who owns application lifecycle management. Eng said that the data in the report on flaw accumulation over time shows that it is something that needs to be considered to deliver a future-ready program.

"The predictable patterns can be valuable for building smart and mature application security programs," he said.

About the author

Sean Michael Kerner headshotSean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He consults to industry and media organizations on technology issues.
TAGS: Testing and Quality Assurance Application Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
State of Software Security report cover
Software Plagued by Widespread Security Debt, Report Finds
Feb 17, 2024
GitLab logo on a smartphone
GitLab Grows with DevSecOps and AI Innovation
Dec 07, 2023
Jira Software logo on a laptop screen
Atlassian Brings New DevSecOps Integrations to Jira
Jun 09, 2023