Veracode, a global provider of application security testing solutions, has published new research that finds most applications are scanned around three times a week, compared to just two or three times a year a decade ago. This represents a 20x increase in average scan cadence between 2010 and 2021. Scan frequency has also risen dramatically, with developers now testing more than 17 new applications per quarter – more than triple the number of apps scanned over the same period a decade ago.
The Veracode State of Software Security (SoSS) v12, which analysed more than half a million applications, reveals new data from a cross-section of large and mid-sized companies, commercial software suppliers and open-source projects.
“It is no longer sufficient to scan software as a pre-production step in the last phase of the software development life cycle,” said Chris Wysopal, Co-founder and Chief Technology Officer at Veracode. “Just as software is now deployed continuously, scanning using a variety of testing tools must also happen continuously as a fully integrated part of the process.”
Companies using multiple scan types fix flaws faster
Continuous security testing using multiple scanning types is fast becoming the norm as organisations recognise the need to analyse the software, they build across multiple dimensions. More than ever, businesses are using a combination of scan types to secure their software, with a 31% increase in the combined use of static, dynamic and software composition analysis from 2018 to 2021. The trend continues from last year’s State of Software Security report v11, which found that companies using dynamic in addition to static scanning remediated flaws 24 days faster and including software composition analysis shaved off another six days.
Time is competitive currency for software development teams
The need for speed has driven software development teams to adopt agile methodologies and process automation tools, as well as cloud-native technologies, open-source software and microservices. While these trends have increased the speed of software development, they have also introduced new complexities and risks.
“The profusion of more modular applications, particularly over the past two years, has driven a sharp increase in the number of applications scanned,” said Chief Research Officer at Veracode, Chris Eng. “In 2018, roughly 20% of applications comprised multiple languages, but this has taken a nosedive to 5%. This suggests a pivot to building smaller applications that perform a single task, which is consistent with the growing popularity of microservices.”
Organisations reap rewards of developer security training
In addition to improvements in scan cadence and remediation capacity, Veracode’s research uncovered the positive impact of interactive security training. Companies whose developers had completed at least one lesson in Veracode Security Labs – a hands-on training programme using real-life applications – fixed flaws 35% faster than organisations without such training.