According to the Veracode State of Software Security 2023 report, nearly 32 percent of applications contain flaws at the first scan and by the time they have been in production for five years, nearly 70 percent have at least one security flaw. Veracode, a global provider of modern application security testing solutions, has revealed data that could save organizations time and money by helping developers minimize the introduction and accumulation of security flaws in their software.
After the initial scan, apps quickly enter a ‘honeymoon period’ of stability, and nearly 80 percent do not take on any new flaws at all for the first 1.5 years. After this point, however, the number of new flaws introduced begins to climb again to approximately 35 percent at the five-year mark.
The study found that developer training, use of multiple scan types, including scanning via API, and scan frequency are influential factors in reducing the probability of flaw introduction, suggesting teams should make them key components of their software security programs.
With heightened focus on the Software Bill of Materials over the past year, Veracode’s research team also examined 30,000 open-source repositories publicly hosted on GitHub. Interestingly, 10 percent of repositories hadn’t had a commit—a change to the source code—for almost six years.
With the cost of a data breach averaging $4.35 million, teams should prioritize remediation early in the software development life cycle to minimize risk caused by flaw accumulation. Veracode’s research reveals key steps that security and development teams should take:
- Tackle technical or security debt as early and quickly as possible. The remediation curve must fall earlier and faster because an application will have accumulated flaws by the time it is two years old. Scanning frequently using a variety of tools helps to find and fix flaws that may have been introduced or built up over time.
- Prioritize automation and developer security training to provide understanding of which vulnerabilities are most likely to be introduced, as well as techniques to avoid introducing flaws altogether.
- Establish an application lifecycle management protocol that incorporates change management, resource allocation, and organizational controls.