Research finds 20x increase in software security scanning over the past decade
eracode , a global provider of
V application security testing solutions , has published new research that finds most applications are scanned around three times a week , compared to just two or three times a year a decade ago . This represents a 20x increase in average scan cadence between 2010 and 2021 . Scan frequency has also risen dramatically , with developers now testing more than 17 new applications per quarter – more than triple the number of apps scanned over the same period a decade ago .
The Veracode State of Software Security ( SoSS ) v12 , which analysed more than half a million applications , reveals new data from a cross-section of large and mid-sized companies , commercial software suppliers and open-source projects .
“ It is no longer sufficient to scan software as a pre-production step in the last phase of the software development life cycle ,” said Chris Wysopal , Co-founder and Chief Technology Officer at Veracode . “ Just as software is now deployed continuously , scanning using a variety of testing tools must also happen continuously as a fully integrated part of the process .” software composition analysis from 2018 to 2021 . The trend continues from last year ’ s State of Software Security report v11 , which found that companies using dynamic in addition to static scanning remediated flaws 24 days faster and including software composition analysis shaved off another six days .
Time is competitive currency for software development teams
The need for speed has driven software development teams to adopt agile methodologies and process automation tools , as well as cloud-native technologies , open-source software and microservices . While these trends have increased the speed of software development , they have also introduced new complexities and risks .
“ The profusion of more modular applications , particularly over the past two years , has driven a sharp increase in the number of applications scanned ,” said Chief Research Officer at Veracode , Chris Eng . “ In 2018 , roughly 20 % of applications comprised multiple languages , but this has taken a nosedive to 5 %. This suggests a pivot to building smaller applications that perform a single task , which is consistent with the growing popularity of microservices .”
Organisations reap rewards of developer security training
In addition to improvements in scan cadence and remediation capacity , Veracode ’ s research uncovered the positive impact of interactive security training . Companies whose developers had completed at least one lesson in Veracode Security Labs – a handson training programme using real-life applications – fixed flaws 35 % faster than organisations without such training . u
Companies using multiple scan types fix flaws faster
Continuous security testing using multiple scanning types is fast becoming the norm as organisations recognise the need to analyse the software , they build across multiple dimensions . More than ever , businesses are using a combination of scan types to secure their software , with a 31 % increase in the combined use of static , dynamic and intelligent SOFTWARE SECURITY www . intelligentciso . com
61