Image: Veracode

There’s always a new vulnerability for security teams and developers to defend against but Veracode’s State of Software Security Report found that things are getting better slowly but surely. The company analyzed its entire historical dataset to see how software engineering has changed over the last decade. Software companies have implemented best practices such as regular scans and microservices to improve overall security, according to the report.

The report authors identified these trends based on an analysis of thousands of applications and millions of scans:

  • Agile development of small, modular applications has eaten the world.
  • Free and open-source code will continue to be a blessing and a curse.
  • Applications are slowly but surely getting more secure.
  • New tools will continue to help improve the application security landscape.

The stats from the report illustrate the changes that are driving this evolution to more secure software, namely continuous testing and integration which means adding security scanning into development pipelines and making that approach the norm.

More applications are being scanned than ever before, the report states that “most organizations are creating, on average, more than 17 applications for scanning per quarter, up from approximately five a decade ago.” The analysis also found that security scans have shifted from quarterly to weekly and 90% of apps are scanned once a week. The report includes an analysis of static, dynamic and software composition analysis and considers the impact of each type of scan on overall security.

Image: Veracode

The Veracode analysis also identified the increase in microservices, based on the number of applications that use multiple languages: In 2018, roughly 20% of applications incorporated multiple languages. This year, less than 5% of apps used multiple languages, suggesting a pivot to smaller, one-language applications or microservices.”

Veracode analysts also looked at trends in the use of third-party code and it’s no surprise that they found developers “stick with tried-and-true libraries and likely aren’t going to attempt to refactor their code base to pick up the latest hot commodity.” The good news is that the report also found that the percent of libraries with known flaws dropped from 35% to less than 10% over the past four years:

There are clear trends for Java, JavaScript, and Python, and that trend is very good, because it goes steeply down. In 2017 nearly 35% (on average) of libraries used had a known flaw. In more recent years that has come down to nearly 10%. JavaScript has gone from about 10% to less than 4%, Python from about 25% to nearly 10%, and Go from 7% down to 4%.

Developers also are fixing flaws faster, according to the report: “Back in 2017, it would
take over three years to get to the 50 percent (half-life) closed point, and now it takes just over a year.

The core data for this report represents the full historical data from Veracode services and customers. The data represents large and small companies, commercial software suppliers, software outsourcers and open source projects.

This accounts for a total of:

  • 592,720 applications that used all scan types
  • 1,034,855 dynamic analysis scans
  • 5,137,882 static analysis scans
  • 18,473,203 software composition analysis scans

All those scans produced:

  • 42 million raw static findings
  • 3.5 million raw dynamic findings
  • 6 million raw software composition analysis findings

In most cases, an application was counted only once, even if it was submitted multiple times as vulnerabilities were remediated and new versions uploaded. The report contains findings about applications that were subjected to static analysis, dynamic analysis, software composition analysis and/or manual penetration testing through Veracode’s cloud-based platform.

Image: Veracode