Among the findings in its annual State of Software Security report, app-scanning Veracode reports clients who took hands-on training classes fixed vulnerabilities 60 days faster than those who did not.
"I've always found, going back even to my consulting days, when you tell somebody that they have a vulnerability, it's one thing when you show them the vulnerability on a slide and another if you give them a link where they can actually see the credit cards being dumped from their vulnerable page from their database," said Chris Eng, chief research officer at Veracode.
The report rounds up metrics for Veracode clients, showing the impacts of different practices on how code is written and secured.
One major trend over the past few years is a dramatic increase in scanning, with steady, exponential improvement year over year for at least a decade. In 2010, only 1 in 10 apps scanned more than once a week. By 2021, that number rose to 9 in 10. Companies average more than three scans a week.
That may be due to the rise in microservices, noted Eng. Using several small, single-purpose applications rather than one giant application, engineers can now update code on a much faster cadence.
"If you're deploying more often and you've got an automated pipeline, you can introduce security into those pipelines and scan more," said Eng. "If you scan more often, you'll catch more."