DevSecOps Is Mainstream: New Research Finds 20x Increase in Software Security Scanning Over the Past Decade

  • Veracode State of Software Security report reveals the average cadence for organizations scanning apps has grown 20x since 2010
  • The number of apps scanned for security flaws per quarter has more than tripled over the past decade
  • Businesses with hands-on security training for developers fix software flaws 35% faster

Number of applications scanned (Photo: Business Wire)

BURLINGTON, Mass.--()--Veracode, the largest global provider of application security testing solutions, today published new research that finds most applications are now scanned around three times a week, compared to just two or three times a year a decade ago. This represents a 20x increase in average scan cadence between 2010 and 2021. Scan frequency has also risen dramatically, with developers now testing more than 17 new applications per quarter—more than triple the number of apps scanned over the same period a decade ago. The Veracode State of Software Security (SoSS) v12, which analyzed more than half a million applications, reveals new data from a cross-section of large and mid-sized companies, commercial software suppliers, and open-source projects.

With studies showing that there are now 4.66 billion active internet users globally*, the world is more connected than ever. “It is no longer sufficient to scan software as a pre-production step in the last phase of the software development lifecycle. Just as software is now deployed continuously, scanning using a variety of testing tools must also happen continuously as a fully integrated part of the process,” said Chris Wysopal, Co-founder & Chief Technology Officer at Veracode.

Companies Using Multiple Scan Types Fix Flaws Faster

Continuous security testing using multiple scanning types is fast becoming the norm as organizations recognize the need to analyze the software they build across multiple dimensions. More than ever, businesses are using a combination of scan types to secure their software, with a 31 percent increase in the combined use of static, dynamic, and software composition analysis from 2018 to 2021. The trend continues from last year’s State of Software Security report v11, which found that companies using dynamic in addition to static scanning remediated flaws 24 days faster, and including software composition analysis shaved off another six days.

Time Is Competitive Currency for Software Development Teams

The need for speed has driven software development teams to adopt agile methodologies and process automation tools, as well as cloud-native technologies, open-source software, and microservices. While these trends have increased the speed of software development, they have also introduced new complexities and risk.

“The profusion of more modular applications, particularly over the past two years, has driven a sharp increase in the number of applications scanned,” said Chief Research Officer at Veracode, Chris Eng. “In 2018, roughly 20 percent of applications comprised multiple languages, but this has taken a nosedive to five percent. This suggests a pivot to building smaller applications that perform a single task, which is consistent with the growing popularity of microservices.”

Organizations Reap Rewards of Developer Security Training

In addition to improvements in scan cadence and remediation capacity, Veracode’s research uncovered the positive impact of interactive security training. Companies whose developers had completed at least one lesson in Veracode Security Labs—a hands-on training program using real-life applications—fixed flaws 35 percent faster than organizations without such training. “With so few computer science programs teaching software security at university, the power of training with real, vulnerable applications in a safe, guided environment cannot be underestimated. Our data demonstrates that those who participate in training labs may have a head-start when it comes to understanding the origin of flaws and fixing them quickly,” Eng said.

Wysopal closed, “Our goal is to help companies make informed decisions about their software security programs. This means they can not only minimize risk, but also meet increasingly prescriptive regulations, such as those outlined in the U.S. executive order on cybersecurity and the new cybersecurity strategy just released by the U.K. government. The results in this latest SoSS research give us hope that there is a heightened focus on application security, and that the added attention from media and government is making a positive impact.”

The full Veracode State of Software Security v12 is available to download here.

* Statista, Joseph Johnson, “Global digital population as of January 2021”: https://www.statista.com/statistics/617136/digital-population-worldwide/. January, 2021

Methodology

The State of Software Security v12 analyzed the full historical data from Veracode services and customers. This accounts for a total of more than half a million applications (592,720) that used all scan types, more than a million dynamic analysis scans (1,034,855), more than five million static analysis scans (5,137,882) and more than 18 million software composition analysis scans (18,473,203). All those scans produced 42 million raw static findings, 3.5 million raw dynamic findings, and six million raw SCA findings.

The data represents large and small companies, commercial software suppliers, software outsourcers, and open-source projects. In most analyses, an application was counted only once, even if it was submitted multiple times as vulnerabilities were remediated, and new versions uploaded.

About Veracode

Veracode is the leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities.

Veracode serves thousands of customers worldwide across a wide range of industries. The Veracode solution has assessed more than 53 trillion lines of code and helped companies fix more than 71 million security flaws.

Learn more at www.veracode.com, on the Veracode blog and on Twitter.

Copyright © 2022 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.

Contacts

Katy Gwilliam
kgwilliam@veracode.com

Release Summary

Veracode finds dramatic increases in average scan cadence and application scanning frequency over past decade as DevSecOps becomes mainstream.

Social Media Profiles

Contacts

Katy Gwilliam
kgwilliam@veracode.com