Comment on the State of Software Security Report Frequent security scans are the norm today
Frequent and regular security scans help to secure applications. But have companies now recognized this added value? Julian Totzek-Hallhuber from Veracode presents the most important results of the twelfth annual State of Software Security report in this technical article.
The current SoSS report from Veracode shows that companies are testing more and using a mix of different scan types.
Users expect ever faster, perfectly functioning and secure digital applications. As a result, both innovation and competitive requirements in the field of software development are constantly growing. To keep up with this pace, development teams are turning to native cloud technologies, microservices, and open source applications. In addition, they are increasingly relying on agile methods and tools for process automation.
However, with all these advances, not only the complexity increases, but also the risk of vulnerabilities and security holes that can sneak into the applications during the development process. The best way to combat this risk is to perform frequent and regular scans using several different scanning methods. The good news is: to date, a certain “scanning and testing mentality” has been established in software development.
In the twelfth edition of the annual State of Software Security Report (SoSS), Veracode takes a closer look at current developments in the field of application security. The results of the study include data from both medium-sized and large companies, commercial software providers and open source projects. These are based on the analysis of more than half a million applications.
The shift to technological alternatives in application development
Development teams are increasingly using new technologies to develop their applications. This indicates the number of new applications that you scan for security vulnerabilities on average in a quarter today. Over the past decade, this has increased to 17 – three times more than in 2010. This suggests that they are building their applications on an architecture consisting of modular microservices.
The shift towards smaller applications that only perform one task is also evident in the use of different programming languages: in 2018, 20 percent of applications included several languages. This share has fallen to five percent three years later. Especially with regard to JavaScript, Python and .NET, a decrease in the application size was observed.
Another way to speed up the development process, developers see in (third party) open source libraries. In fact, today, for example, about 97 percent of Java-based applications consist of open source libraries. In this way, developers save time because they do not have to develop all the functions that the open source code already supports themselves. Nevertheless, open source libraries can also have vulnerabilities.
The number of such gaps has decreased over the past three years. in 2017, 35 percent of libraries still had known defects, today it is only ten percent. The period in which vulnerabilities in open source libraries are identified and fixed has also decreased. In 2017, it took over three years to reduce the error volume by 50 percent. Today, this task takes about a year. 77 percent of the vulnerabilities remain open even after three months. There is still room for improvement.
More efficient troubleshooting thanks to frequent scans
Since applications and codes are provided continuously, developers should also integrate the diverse scanning by means of various tools and methods into the ongoing software development process. Superficial (individual) tests during the last phase of the development cycle are simply no longer sufficient. The risk of errors sneaking into the final product and making the application vulnerable to security-related incidents is too great.
After the last few years in which Veracode investigated application security in companies, a clear picture has now emerged. As part of the current SoSS report, it was found that more and more companies and software developers recognize the need to scan the software they have developed for faulty codes and potential vulnerabilities.
Continuous testing is becoming more and more the norm. Companies have dramatically increased the number of scans performed. Compared to 2010, they scan their applications on average 20 times more frequently today. Whereas in 2010 you performed an average of two to three security tests, today you scan 90 percent of your applications more than once a week. The majority of applications undergo a security scan on average three times a week.
Several different scan types mean more security
For scanning and efficient detection of vulnerabilities, not only frequent and regular security tests, but also several types of scanning are necessary. The main thing is to cover all application components and to secure the software holistically in this way.
Today, companies are increasingly relying on a combination of static and dynamic scans as well as software Composition Analysis (SCA). The spread of such a scan mix has increased by 31 percent between 2018 and 2021. This also results in a much shorter period in which companies remedy vulnerabilities. Development teams that perform dynamic scans in addition to static scans were able to fix vulnerabilities 24 days faster. Due to the use of SCA, the time was reduced by another six days.
Practice-oriented safety training plays a decisive role
In addition to an improvement in the scanning frequency, Veracode was able to establish a connection between the error correction rate and the use of interactive, practice-oriented security training. Developers who participated in such training and were trained on the basis of live applications and practical examples were able to close half of the security gaps by 35 percent faster.
In total, the remediation period is reduced from an average of 170 days for companies that do not offer training courses to 110 days – a saving of two months. Since only a few information courses deal with the topic of software security in depth, companies should promote the further training of their developers in this area. This increases the chances that you will better understand the causes of vulnerabilities and thus be able to fix them faster.
Conclusion
The growing networking, the pressure of innovation and competition as well as the use of new technologies underline the need to efficiently secure applications with the help of security scans. Development teams should not limit the important scanning processes to the final phase of development, but should integrate them throughout the entire development cycle.
The results of the current SoSS report from Veracode show that companies have recognized this added value. They are conducting security scans more frequently compared to the past ten years. They use a mix of several different types of scanning to cover all areas of application. And you accelerate troubleshooting with hands-on security training for your development teams.
* Julian Totzek-Hallhuber is Senior Principal Solutions Architect at Veracode.
