The importance of implementing security analysis in the software development lifecycle
Veracode has published research that reveals that most apps are now scanned about three times a week, compared to just two or three times a year a decade ago. This represents a 20x increase in the average scan rate between 2010 and 2021.
Crawl frequency has also increased dramatically, with developers now testing more than 17 new apps per quarter, more than triple the number of apps scanned in the same period a decade ago. The research, which analyzed more than half a million apps, reveals new data from a cross-section of large and midsize companies, commercial software vendors and open source projects.
With studies showing that there are now 4.66 billion active internet users worldwide, the world is more connected than ever. “It is no longer enough to analyze software as a pre-production stage in the last phase of the software development lifecycle. Just as software is now continuously deployed, analysis using various testing tools must also occur continuously as a fully integrated part of the process,” said Chris WysopalCTO at Veracode.
Companies using multiple types of scans fix vulnerabilities faster
Continuous security testing using multiple types of analysis is quickly becoming the norm as organizations recognize the need to analyze the software they create across multiple dimensions.
More than ever, companies are using a combination of scanning types to secure their software, with a 31% increase in the combined use of static, dynamic, and software composition scanning from 2018 to 2021.
The trend continues since last year’s State of Software Security v11 report, which found that companies using dynamic analysis in addition to static analysis fixed vulnerabilities 24 days faster, and including software composition analysis, gained an additional six days.
Time is a competitive currency for software development teams
The need for speed has driven software development teams to adopt agile methodologies and process automation tools, as well as cloud-native technologies, open-source software, and microservices. While these trends have accelerated software development, they have also introduced new complexities and risks.
“The profusion of more modular apps, especially over the past two years, has led to a sharp increase in the number of apps being scanned,” said Veracode’s director of research, Chris Eng. “In 2018, around 20% of applications included multiple languages, but this has dropped to 5%. This suggests a pivot towards building smaller applications that perform a single task, which is consistent with the growing popularity of microservices.
Organizations Reap the Benefits of Developer Security Training
In addition to improvements in scan throughput and remediation capability, Veracode research has revealed the positive impact of interactive security training. Companies whose developers had taken at least one lesson in a training program using real applications fixed vulnerabilities 35% faster than organizations without such training.
“With so few computer science programs teaching software security in college, the power of training with real and vulnerable applications in a safe and guided environment cannot be underestimated. Our data demonstrates that those who participate to training labs can have a head start when it comes to understanding the origin of faults and correcting them quickly,” said Eng.