Veracode, a global provider of application security testing (AST), has revealed usage data that demonstrates cybersecurity is becoming more automated and componentised in line with modern software architectures and development practices. The analysis of 5,446,170 static scans and more than 310,000 apps over 13 months, from September 2020 to October 2021, found a startling 143% growth in the number of small apps, like APIs and microservices and a 133% increase in automated scans run through APIs instead of manually.
COVID-19 has accelerated Digital Transformation over the past 18 months and businesses are competing aggressively to be first to market with digital products and services. Pressure on developers to build and deploy software quicker than ever has precipitated the shift to DevSecOps – integrating Development, Security and Operations to make Application Security an integral part of the software life cycle. At long last, companies are applying AppSec controls to secure the integrity of the development process, as well as scaling DevSecOps pipeline patterns across the entire enterprise.
“The rise of automation and componentisation in software development has driven a sharp increase in the speed and automation of software security as businesses look to AI and Machine Learning for flaw identification, threat modelling and remediation,” said Chris Wysopal, Co-founder and Chief Technology Officer at Veracode. “We’ve already seen DevSecOps grow rapidly in maturity and now there’s an opportunity to shift security even further left into the design phase to become SecDevOps.”
Componentisation drives speed and efficiencies
Alongside the upward trajectory in automation, Veracode also found a downward trend in the complexity and size of the code being analysed, as evidenced by the 30% reduction in the average number of modules scanned per scan, indicating a shift towards scanning of individual components or microservices. This is not surprising considering the rapid adoption of both componentised applications and DevOps practices.
With large applications broken down into small reusable components – or microservices – developers can work in more agile ways to iterate quickly and deliver continuously in increments. Interestingly, the rise of API-first development has improved software security with the average time to fix a flaw reduced by around 50% when using static analysis for APIs or microservices. API scanning also enables organisations to find and fix vulnerabilities in APIs as early and efficiently as possible.
“Recent high-profile attacks, such as the SolarWinds hack, have put the vulnerability of the software supply chain firmly in the spotlight,” Wysopal added. “Businesses now seek the next evolution of software security for peace of mind. This means offering the assurance of continuous orchestration, such as policy definition and management, inline remediation with the ability to ‘self-heal’ and runtime intelligence that highlights any flaws introduced as underlying components change.”