Veracode revealed data that could save organizations time and money by helping developers minimize the introduction and accumulation of security flaws in their software.
Their report found that flaw build-up over time is such that 32% of applications are found to have flaws at the first scan and by the time they have been in production for five years, 70% contain at least one security flaw.
With the cost of a data breach averaging $4.35 million, teams should prioritize remediation early in the software development life cycle to minimize risk caused by flaw accumulation.
“As with all our studies, we set out to provide insights that developers can put into action right away. From this year’s findings, two important considerations emerged: how to lower the chance of flaws being introduced in the first place, and how to reduce the number of those flaws that are introduced. Aside from technical access controls, secure coding practices are all the more crucial for cybersecurity in 2023 and beyond,” said Chris Eng, CRO at Veracode.
No direct correlation between app growth and flaw introduction
After the initial scan, apps quickly enter a ‘honeymoon period’ of stability, and 80% do not take on any new flaws at all for the first 1.5 years. After this point, however, the number of new flaws introduced begins to climb again to approximately 35% at the five-year mark.
The study found that developer training, use of multiple scan types, including scanning via API, and scan frequency are influential factors in reducing the probability of flaw introduction, suggesting teams should make them key components of their software security programs.
For example, skipping months between scans correlates with an increased chance that flaws will be found when a scan is eventually run. Furthermore, top flaws in apps vary by testing type, highlighting the importance of using multiple scan types to ensure hard-to-identify flaws aren’t missed.
The fragility of open source
With heightened focus on the Software Bill of Materials over the past year, Veracode’s research team also examined 30,000 open-source repositories publicly hosted on GitHub. Interestingly, 10% of repositories hadn’t had a commit—a change to the source code—for almost six years.
“Using a software composition analysis (SCA) solution that leverages multiple sources for flaws, beyond the National Vulnerability Database, will give advance warning to teams once a vulnerability is disclosed and enable them to implement safeguards more quickly, hopefully before exploitation begins. Setting organizational policies around vulnerability detection and management is also recommended, as well as considering ways to reduce third-party dependencies,” said Eng.
Steps to success
Veracode’s research reveals key steps that security and development teams should take:
- Tackle technical or security debt as early and quickly as possible. The remediation curve must fall earlier and faster because an application will have accumulated flaws by the time it is two years old. Whether through increasing complexity from years of steady growth or diminishing focus on application development, this trend continues upwards, meaning there is a 90% chance an application will contain at least one flaw by the 10-year mark. Scanning frequently using a variety of tools helps to find and fix flaws that may have been introduced or built up over time.
- Prioritize automation and developer security training to provide understanding of which vulnerabilities are most likely to be introduced, as well as techniques to avoid introducing flaws altogether. Overall, the data shows a 27% chance that new flaws will be introduced in an application in any given month. Organizations that scan via API reduce this probability to 25%. Those that complete 10 Security Labs—a training platform offering hands-on vulnerability detection and remediation experience—also reduce the probability of flaws being introduced by 1.8% in any given month.
- Establish an application lifecycle management protocol that incorporates change management, resource allocation, and organizational controls. Investigate what the supportability and quality control phases look like in your organization. Initial discussions could lead to planned obsolescence for some applications and a review of the processes and quality control measures involved in continuous product engineering.
“With Veracode’s State of Software Report, it’s fascinating to examine flaw accumulation and behavior by drawing upon nearly two decades of data. The breadth and depth of the data enables us to not just identify best practices, but also some of the more subtle factors that need to be addressed early in the development process to minimize risk later down the line,” said Jay Jacobs, Data Scientist at the Cyentia Institute.