Veracode, provider of modern application security testing solutions, today released the results of the Veracode State of Software Security 2023 report, revealing that flaw build up overtime poses a real issue for many businesses.
According to the report, nearly 32% of applications are found to have flaws at the first scan, jumping to almost 70% once they have been in production for five years.
“As with all our studies, we set out to provide insights that developers can put into action right away. From this year’s findings, two important considerations emerged: how to lower the chance of flaws being introduced in the first place, and how to reduce the number of those flaws that are introduced. Aside from technical access controls, secure coding practices are all the more crucial for cybersecurity in 2023 and beyond,” said Chris Eng, chief research officer at Veracode.
The report also stated that after the initial scan, most apps enter a safety period of about a year and a half, where 80% do not take on any new flaws.
Furthermore, it was found that developer training; use of multiple scan types, including scanning via API; and scan frequency all play a role in the reduction of flaw introduction.
The report stated that going months between scans directly correlates with an increased chance that flaws will be found when a scan is eventually run. Additionally, it found that the top flaws in apps vary by testing type, indicating that utilizing multiple scan types ensures that even hard-to-identify flaws are caught.
Key takeaways from the report include:
- Companies should be working to get a handle on technical and security debt as quickly as possible to avoid flaw accumulation
- Prioritize automation and developer security training in order to offer insight into which vulnerabilities an app is most at risk for as well as techniques to avoid the introduction of flaws
- Have an application lifecycle management protocol in place that includes change management, resource allocation, and organizational controls
The Veracode State of Software Security 2023 report looked at over three quarters of a million applications across commercial software suppliers, software outsourcers, and open-source projects. To read the full report, click here.
