The State of Software Security in 2022: How Far We've Come
August 09, 2022

Chris Wysopal
Veracode

In the last six months, organizations from Microsoft to the Red Cross have been hit by cybersecurity breaches. Widespread open-source vulnerabilities, such as Log4j and Spring4shell, have also shaken the software industry, reminding us just how entwined source code has become. These recurring incidents raise the question, are we making progress in securing our software?

According to Veracode's latest State of Software Security (SoSS) report, the answer is yes. Now in its 12th year, this annual report looks at more than half a million active software applications spanning multiple business sectors to identify trends, emerging issues, and best practices in application security. The insights shed light on how far we've come in securing our software — and how far we still have to go.


Impact of Emerging Development Trends on Security

In today's digital-first world, increased connectivity, hypercompetitiveness, and the need to innovate constantly are changing the fabric of security. The ability to develop and deploy code quickly is now critical for just about every organization, and this demand has pushed developers to leverage more modern technologies, agile methodologies, and open-source code to accelerate the development process. These trends have had a positive impact on application security.

More apps are being scanned — Organizations are scanning, on average, more than 17 new applications per quarter. This number is more than triple the number of apps scanned per quarter a decade ago.

Apps are being developed with fewer languages — We're also seeing a decrease in applications with multiple languages. Over the past four years, the number of applications developed with multiple languages has decreased by 20%. As each language has its own security strengths and weaknesses, reducing the number and variety of languages makes it easier to find and fix vulnerabilities in code.

Microservices are on the rise — The SoSS research shows an overall decline in application size, most notably in JavaScript, Python, and .NET apps. Combined, these three trends indicate more microservices — smaller, modular applications — are being used today. While the use of microservices speeds up the software development lifecycle, it also introduces new complexities and risks.

Improved AppSec Best Practices

Despite the headlines, application security has improved vastly over the past decade. It's now the norm for security scanning to be integrated into the software development pipeline as part of a continuous testing and integration methodology. Veracode's annual analysis of customers' applications reveals that certain behaviors, such as a regular scanning cadence, can help developers find and fix vulnerabilities in code faster, which is something customers are realizing and prioritizing. This year's SOSS report found a 20x increase in scanning cadence, with most applications being scanned three times a week.

Organizations Are Using Multiple Scan Types

In addition to more frequent scanning, we also found an increase in the use of multiple different security scanning types. Between 2018 and 2021, the use of multiple scan types increased by 31%, and many organizations are now leveraging a combination of static, dynamic, and software composition analysis (SCA) scans for more holistic and comprehensive security scanning.

This growing trend of using multiple scan types builds upon something we saw in SoSS v11 — companies using dynamic and static scanning together remediated 50% of flaws 24 days faster than those using only one scanning type. Adding in software composition analysis to this mix shaves another six days off this remediation time. As organizations learn that more in-depth security scanning leads to faster remediation of flaws, the bar for "good" security practices should continue to rise.

Third-Party Libraries Have Fewer Flaws

We know that organizations rely heavily on third-party libraries. We also know most open-source libraries have flaws. So, it's heartening to see a decline in the overall number of flaws in third-party libraries. In 2017, nearly 35% (on average) of libraries used had a known flaw. This has come down to about 10%. Specific languages demonstrate different degrees of this decline, with JavaScript dropping six%, and Python from about 25% to nearly 10%. Overall, the data indicates a positive trend.

Flaw Prevalence Is Declining

All this data is interesting, sure, but in the end, how does it impact the security of software code? We looked at the percentage of applications with various flaw types, specifically those listed in the OWASP Top 10, CWE/SANS Top 25, and those classified as "High" criticality or above, to see if any trends emerged. Over the years, the percentage of flaw types bounced around a bit, but it's great to see the trend across all applications is a general reduction in flaw prevalence.

Developer Security Training Works

As cybersecurity becomes a business priority at the board level, developers are starting to reap the benefits of better software security training. This year's report found that hands-on security training for developers is a worthwhile investment.

Applications Are Slowly, but Surely, Getting More Secure

As we look back through more than a decade of historical software security data, we can see how far security has come. As speed of development becomes more critical, today's developers are increasingly adopting agile development of small, modular applications and open-source code. Though it's not happening as quickly as we'd like, applications are getting more secure with the help of tools and services like SCA and developer security training. There's still plenty of room for improvement, especially as the threat landscape continues to change, but we're certainly heading in the right direction.

Chris Wysopal is Co-Founder and CTO of Veracode
Share this

Industry News

September 29, 2022

CloudBees announced the acquisition of ReleaseIQ to expand the company’s DevSecOps capabilities, empowering customers with a low-code, end-to-end release orchestration and visibility solution.

September 29, 2022

SmartBear continues expanding its commitment to the Atlassian Marketplace, adding Bugsnag for Jira and SwaggerHub Integration for Confluence.

Bugsnag developers monitoring application stability and documenting in Jira no longer need to interrupt their workflow to access the app. Developers working in SwaggerHub can use the macro to push API definitions and changes directly to other teams and business stakeholders that work within Confluence. By increasing the presence of SmartBear tools on the Atlassian Marketplace, the company continues meeting developers where they are.

September 29, 2022

Ox Security exited stealth today with $34M in funding led by Evolution Equity Partners, Team8, and M12, Microsoft's venture fund, with participation from Rain Capital.

September 29, 2022

cnvrg.io announced that the new Intel Developer Cloud is now available via the cnvrg.io Metacloud platform, providing a fully integrated software and hardware solution.

September 28, 2022

Kong introduced a number of new performance, security and extensibility features across its entire product portfolio, including major new releases of Kong Gateway, Kong Konnect, Kong Mesh, Kong Insomnia and Kong Ingress Controller, as well as new projects from the Kong Incubator.

September 28, 2022

BroadPeak Partners announced the availability of the new K3 API Connector.

September 28, 2022

Aqua Security announced a new end-to-end software supply chain security solution.

September 27, 2022

DevOps Institute will host SKILup Festival in Singapore on November 15, 2022.

September 27, 2022

Delinea announced the latest release of DevOps Secrets Vault, its high-speed vault for DevOps and DevSecOps teams.

September 27, 2022

The Apptainer community announced version 1.1.0 of the popular container system for secure, high-performance computing (HPC). Improvements in the new version provide a smaller attack surface for production deployments while offering features that improve and simplify the user experience.

September 26, 2022

Secure Code Warrior unveiled Coding Labs, a new mechanism that allows developers to more easily move from learning to applying secure coding knowledge, leading to fewer vulnerabilities in code.

September 26, 2022

ActiveState announced the availability of the ActiveState Artifact Repository.

September 26, 2022

Split Software announced the availability of its Feature Data Platform in the Microsoft Azure Marketplace.

September 22, 2022

Katalon announced the launch of the Katalon Platform, a modern and comprehensive software quality management platform that enables teams of any size to easily and efficiently test, launch, and optimize apps, products, and software.

September 22, 2022

StackHawk announced its Deeper API Security Test Coverage release.