A new report from Veracode revealed data that could save organizations time and money by helping developers minimize the introduction and accumulation of security flaws in their software. The Veracode State of Software Security 2023 report found that flaw build-up over time is such that nearly 32 percent of applications are found to have flaws at the first scan and by the time they have been in production for five years, nearly 70 percent contain at least one security flaw.
With the cost of a data breach at an all-time high, teams should prioritize remediation early in the software development life cycle to minimize risk caused by flaw accumulation. The report suggests that two important considerations emerged from this year's findings: how to lower the chance of flaws being introduced in the first place, and how to reduce the number of those flaws that are introduced.
The study found that after the initial scan, apps quickly enter a ‘honeymoon period’ of stability, and nearly 80 percent do not take on any new flaws at all for the first 1.5 years. After this point, however, the number of new flaws introduced begins to climb again to approximately 35 percent at the five-year mark.
Veracode also said that developer training, use of multiple scan types, including scanning via API, and scan frequency are influential factors in reducing the probability of flaw introduction, suggesting teams should make them key components of their software security programs. For example, skipping months between scans correlates with an increased chance that flaws will be found when a scan is eventually run. Furthermore, top flaws in apps vary by testing type, highlighting the importance of using multiple scan types to ensure hard-to-identify flaws aren’t missed.
With heightened focus on the Software Bill of Materials over the past year, Veracode’s research team also examined 30,000 open-source repositories publicly hosted on GitHub. Interestingly, 10 percent of repositories hadn’t had a commit—a change to the source code—for almost six years.
Veracode’s research reveals key steps that security and development teams should take:
Tackle technical or security debt as early and quickly as possible.
Prioritize automation and developer security training to provide understanding of which vulnerabilities are most likely to be introduced, as well as techniques to avoid introducing flaws altogether.
Overall, the data shows a 27 percent reduction in the likelihood of introducing new flaws when using automated scanning.
Using a software composition analysis (SCA) solution that leverages multiple sources for flaws, beyond the National Vulnerability Database, will give advance warning to teams once a vulnerability is disclosed and enable them to implement safeguards more quickly.
Setting organizational policies around vulnerability detection and management is also recommended, as well as considering ways to reduce third-party dependencies.