019_SDT057.qxp_Layout 1 2/28/22 2:58 PM Page 19
www.sdtimes.com
March 2022
SD Times
19
New study shows 20x increase in security scan cadence increase in the use of multiple security As security continues to shift left and scan types between 2018 and 2021, DevSecOps efforts expand, software with the majority of developers choossecurity best practices are rapidly evolv- ing to utilize a combination of static, ing. The State of Software Security dynamic, and SCA scans. The study Report conducted by the application security company Veracode, showed that on average, Median application was scanned less than once a month (only 10 percent of apps scanned more often than weekly) organizations are running scans on their apps 20 times more than they were just 10 years ago. With this, the report also 90 percent of apps scanned more than once a week (majority scanned three times a week) revealed that scan frequency has seen a dramatic increase, with developers now testing more than found that organizations that used both 17 new applications per quarter, more dynamic and static scanning were able than triple what was reported for the to remediate 50% of flaws 24 days faster on average. Add SCA scanning to same period a decade ago. “Part of this is due to the speed of that and it shaves off another 6 days. Veracode’s report also showed that innovation that has happened in the past few years. More and more software organizations that invest in hands-on is being written and organizations are security training early on have a strong realizing that there's a bit of exposure advantage over those that don’t. there. There's more customer data According to the study, companies with being put into those things and the this kind of training in place fixed flaws business is being driven by these appli- 35% faster than those without. The report also showed that in 2018, cations so it's important to make sure that they’re secure,” said Chris Eng, about 20% of apps were operating using multiple languages, but this number chief research officer at Veracode. Additionally, there has been a 31% dipped to just 5% in 2021. “The compoBY KATIE DEE
2
2010 2021
sition of applications has changed pretty significantly over the past few years, going from a lot more multi-language applications to that just kind of petering out a little bit, and it coincides with increasing developer interest in microservices so it was kind of cool to see that trend,” Eng said. Another section of the report focused heavily on the use of open-source libraries and thirdparty code and the way they are being leveraged by different organizations. It revealed that most of the code in Java applications comes from third parties, and Java continues to push further in that direction. It was also reported that .NET experienced an unexpected upward shift in the percentage of third-party code in its applications; this happened around the release of .NET 5 and resulted in a sharp increase in use of third-part code. Additionally, the report reinforced the findings of previous studies that stated that developers tend to stick to the libraries they know and love rather than bouncing around and refactoring their code base in order to switch to the newest or “most popular” libraries. z
Scanning cadence over time Manual
Dynamic
Static
SCA Agent
1k
S
100
10
1
0 2010
2015
2020
2010
2015
2020
2010
DATE OF FIRST SCAN
2015
2020
2018
2020
2022
Source: State of Software Security, Veracode, 2022