Firms step up testing to find and fix software security flaws
Most applications are now security scanned around three times a week, compared to just two or three times a year a decade ago.
A new report from Veracode also shows developers now testing more than 17 new applications per quarter -- more than triple the number of apps scanned over the same period a decade ago.
"It is no longer sufficient to scan software as a pre-production step in the last phase of the software development lifecycle. Just as software is now deployed continuously, scanning using a variety of testing tools must also happen continuously as a fully integrated part of the process," says Chris Wysopal, co-founder and chief technology officer at Veracode.
Continuous security testing using multiple scanning types is fast becoming the norm as organizations recognize the need to analyze the software they build across multiple dimensions. Businesses are increasingly using a combination of scan types to secure their software, with a 31 percent increase in the combined use of static, dynamic, and software composition analysis from 2018 to 2021. This trend continues from last year's report, which found that companies using dynamic in addition to static scanning fixed flaws 24 days faster, and including software composition analysis shaved off six more days.
Development teams have been keen to adopt agile methodologies and process automation tools, as well as cloud-native technologies, open-source software, and microservices. But while these trends have increased the speed of software development, they have also introduced new complexities and risks.
"The profusion of more modular applications, particularly over the past two years, has driven a sharp increase in the number of applications scanned," says Veracode's chief research officer Chris Eng. "In 2018, roughly 20 percent of applications comprised multiple languages, but this has taken a nosedive to five percent. This suggests a pivot to building smaller applications that perform a single task, which is consistent with the growing popularity of microservices."
Veracode's research also shows the positive impact of interactive security training. Companies whose developers had completed at least one lesson in Veracode Security Labs -- a hands-on training program using real-life applications -- fixed flaws 35 percent faster than organizations without such training.
The latest Veracode State of Software Security report is available from the company's site.