Application security, Security Staff Acquisition & Development

Hands-on learning knocks two months off fixing broken code

The terms “Bitcoin,” “Blockchain” and “JavaScript” are seen next to a rendition of a rocket in the window of a company that offers blockchain application services on Dec. 21, 2021, in Berlin. (Photo by Sean Gallup/Getty Images)

Among the findings in its annual State of Software Security report, app-scanning Veracode reports clients who took hands-on training classes fixed vulnerabilities 60 days faster than those who did not.

Veracode found that the average lifespan of a vulnerability in client organizations that had taken some of its Security Labs experiential learning classes was 110 days, compared with 170 days for those who had not. Broken down by language of programming, the same organizations produced around 25% fewer bugs per application after taking hands-on classes in Python and Javascript, with more modest improvements in .NET and Java. PHP rates stayed about the same, with C++ showing a marginal increase.

"I've always found, going back even to my consulting days, when you tell somebody that they have a vulnerability, it's one thing when you show them the vulnerability on a slide and another if you give them a link where they can actually see the credit cards being dumped from their vulnerable page from their database," said Chris Eng, chief research officer at Veracode.

The report rounds up metrics for Veracode clients, showing the impacts of different practices on how code is written and secured.

One major trend over the past few years is a dramatic increase in scanning, with steady, exponential improvement year over year for at least a decade. In 2010, only 1 in 10 apps scanned more than once a week. By 2021, that number rose to 9 in 10. Companies average more than three scans a week.

That may be due to the rise in microservices, noted Eng. Using several small, single-purpose applications rather than one giant application, engineers can now update code on a much faster cadence.

"If you're deploying more often and you've got an automated pipeline, you can introduce security into those pipelines and scan more," said Eng. "If you scan more often, you'll catch more."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.