Software drives innovation and lets organizations progress with digital transformation, letting them deliver services and programs more efficiently, transparently, and cost-effectively.
As a result, IT and security leaders recognize the importance of keeping applications and technology up-to-date. Outdated technology and unpatched software let attackers exploit vulnerabilities to gain access to sensitive information, launch denial-of-service attacks, or even take control of systems.
The adoption by development teams of automation, native-cloud technologies, microservices architectures, and open source code to accelerate and scale their efforts helps speed-up application development, but also introduces complexities and security risks.
Since the world has become so interconnected, a security flaw in one application can have a ripple effect, leaving software vulnerable worldwide. We have experienced this over the past three years, with a string of attacks on the software supply chain.
The cost of a data breach in 2023 averages $4.45 million reports IBM, up from $4.35 million in 2022. This number will only continue to rise. IT leaders need to help developers minimize the introduction and accumulation of security flaws in their software. Security flaws are implementation defects that can lead to a vulnerability, and vulnerabilities are exploitable conditions within code that let attackers breach applications.
Data from our recent report found that flaws are so prevalent that 32% of applications are found to have flaws when they’re first placed into production. By the time they have been in production for five years, nearly 70% contain at least one security flaw.
This suggests that the remediation curve must begin earlier and faster because an application will have accumulated flaws by the time it’s two years old. Whether through increasing complexity from years of steady growth or diminishing focus on production over time, there's a 90% chance an application will contain at least one flaw by the time it is 10-years-old.
Application size, age, and the amount of time that’s passed since the last scan are all factors that increase the probability of new flaws being introduced. But it’s not enough to simply point out flaws; developers need to better understand how to fix those flaws and avoid creating new ones in the future.
Three best practices for reducing flaws
Scanning via APIs, hands-on security training, and scan frequency are best practices that organizations can implement to reduce flaw introduction over time. Here’s a quick rundown:
- Prioritize automation by scanning via APIs: The rise of automation and components in software development has driven the need for speed and automation of software security. Scanning via APIs relates to programs that employ automation and limit human interaction throughout the software development lifecycle. Organizations that build in automation so that scans are launched via APIs perform better, reducing the chance of introducing flaws at all. According to data from our State of Software Security report, when applications integrate code scanning into their pipeline via API scanning, the probability that flaws are introduced drops by two percent on average. The research indicates there's about a 27% chance that an application will introduce one or more new flaws every month. So, an agency can reduce that base chance from 27% to 25% by using automation.
- Scan frequently using multiple types of scans: Scanning from concept to deployment and continuing until an application gets decommissioned eliminates most vulnerabilities that lead to security breaches. The longer a team waits to analyze an application, the more likely they will discover one or more flaws when the app is eventually scanned. For every month’s delay in scanning, organizations can expect an average increase of a 1.3% likelihood of flaw introduction. If it’s been a while, flaws quickly pile up. Continuous testing and integration -- which includes security scanning in pipelines—has become the norm, as Veracode reported a year ago. A decade ago, applications were scanned two or three times a year. Now, 90% of applications are scanned more than once a week, with the majority scanned three times a week. Organizations should leverage multiple scan types by using a full suite of tools that includes static, dynamic, and software composition analysis (SCA) scans.
- Establish hands-on developer security training: Developer security training remains vital for the detection of flaw introduction and subsequent remediation. Organizations can do this via lessons that help developers understand more about the flaws by giving them hands-on experience. Using real code, developers are led through examples of specific coding flaws and can then develop and execute exploits to build their intuition about security flaws. Hands-on training lets developers write the patches that fix the flaws, giving them valuable experience when they are alerted to flaws in their own code.
In addition to scanning via APIs, hands-on security training, and scan frequency, companies should also consider establishing an application lifecycle management program that incorporates change management, resource allocation, and organizational controls.
Organizations can succeed by integrating security throughout the software development lifecycle. Efforts to automate and streamline software security will help teams establish effective safeguards and vulnerability remediation within their organization’s pipeline at the developer level.
Chris Eng, chief research officer, Veracode
