Veracode recently released their State of Software Security report in partnership with the Cyentia Institute. The report found a continuing trend towards smaller applications being scanned more regularly for issues, and a general decline in the number of security vulnerabilities, despite the industry still having a long way to go.
Since the White House issued the Executive Order on Improving the Nation’s Cybersecurity there’s been a flurry of reports from vendors peddling solutions and advice. Security is a critically underserved topic in the IT world, receiving periodic bursts of attention from anxious and impatient executives while beleaguered security pros labor to make it easier and more integrated into development. Reports like the State of Software Security report help cut through confusion and provide wise insights and advice.
Veracode has produced this report for 12 years, its most recent report summarizing scans from almost 600,000 applications. The longevity of this report allows them to spot contrasts such as the 20x increase in median scan frequency between 2010 and 2021. The movement from scanning 2-3x / year to scanning at least weekly for 90% of apps reflects the integration of security scanning into the development lifecycle, and the move towards agile and DevSecOps. The report reflects an exponential decrease in the mean time between scans, coinciding with the rise in deployment frequency associated with continuous delivery.
Veracode observed a gradual increase in the number of applications scanned per customer, growing to 17 new apps per quarter, up from five in 2010. This implies that security scanning is becoming a more natural act and a lighter lift for development teams as they gain familiarity with adding it into the development pipeline. Different types of analysis also tend to reveal different flaws meaning that teams are well-served to do multiple types of security analysis such as both static and dynamic application security testing.
One encouraging observation was the reduction in known vulnerabilities in third-party libraries from 35% in 2017 to 10% in 2021. This is likely due to the increasing prevalence of security scanning software from commercial providers like Veracode and Sonatype, as well as efforts from GitHub enabling Advanced Security for all public repositories. Most open source contributors are now familiar with GitHub’s Dependabot notifications of known vulnerabilities in their projects’ dependencies.
The trend of security software vendors producing increasingly robust research is beneficial for the industry. The report was co-written with Cyentia Institute, a security research and data analysis institute founded by some of the authors of Verizon’s Data Breach Investigations Report. Sonatype has also produced its State of the Software Supply Chain report for the last seven years. Dependency analysis, software composition analysis (SCA), software bill of materials (SBOM), and software supply chain (SSC) have entered the daily vernacular of most development teams. This reflects the risky side of the open source world which facilitates promiscuous includes and hides dependencies several layers down. Automated analysis is now a necessity and it’s great to have an increasing variety of reliable choices.