High profile incidents in the last 18 months have brought the importance of software security into sharp focus.
Software vulnerabilities are manifesting with increasing frequency, like the zero-day exploit in Log4j. Geopolitical unrest will have consequences in cyberspace, with high profile targets such as critical infrastructure at risk. And governments are also taking notice, with a new executive order on cybersecurity in the US and the recently published National Cybersecurity Strategy in the UK bringing tighter regulation into the software security space.
No wonder, then, what was once confined to the silo of IT has leapt up the C-suite’s agenda, and rightly so – the importance of continuous security cannot be underestimated.
While it feels like we’re living in ever-changing times, the evolution we’ve seen in software security over the last decade can arm us with learnings to help protect our organisations for the future. Veracode’s recent State of Software Security report analysed over half a million applications created between 2010 and 2021, providing a wealth of insights.
Application scanning is on the rise - but organisations need to do more
Most applications are now scanned around three times a week, a twenty-fold increase on a decade ago, when this happened only two or three times a year. Developers are also scanning a higher volume of applications than ever before; more than 17 new ones per quarter, which is more than triple the volume seen 10 years ago. While this demonstrates good progress overall, when we dive into the data by region, we find that many European firms lag behind their counterparts in other parts of the world, and would benefit from better finding and fixing of the most critical flaws.
More organisations should use multiple scan types to fix flaws faster
Continuous security testing using multiple scanning types is fast becoming standard practice. We saw a 31% increase in the combined use of static, dynamic, and software composition analysis (SCA) from 2018 to 2021. Combining different analysis types also shortens the timeframe for companies to fix vulnerabilities, given that development teams performing dynamic scans alongside static ones took an average of 24 days less to fix half of their identified vulnerabilities.
When countries like the UK have only three fully certified bachelor degrees recognised by the National Cyber Security Council, organisations need to invest in training
However, looking at third-party component (SCA) scans, this is an area where Europe has ample room for improvement, compared to regions like America who are leading the way.
Time is competitive currency for developers
The need for speed has driven software development teams to adopt more modern software development methodologies and architectures. While these trends have increased the speed of software development, they have also introduced new complexities and risk.
The profusion of modular applications, particularly over the past two years, has contributed to the sharp increase in the number of applications scanned. In 2018, roughly 20% of applications comprised multiple languages, but recently this has dropped to just 5%. This is indicative of developers pivoting to building smaller applications that perform a single task, which is consistent with the growing popularity of microservices.
Developer security training needs to be prioritised
Our data demonstrates that the rate of bug fixes correlates with the use of interactive hands-on security training in labs. Developers who participated in Veracode’s Security Labs experiential training are typically able to fix flaws two months quicker than those without such training. With speed ever more important, this time saving is valuable. When countries like the UK have only three fully certified bachelor degrees recognised by the National Cyber Security Council, organisations need to invest in training to ensure they are properly skilling up their developers.
SecDevOps is the way forward
Continuous evolution of software security is necessary to ensure organisations are effectively protected against the next vulnerability – wherever it may come from. The only way to do this is to shift security even further into the design phase, moving from DevSecOps to SecDevOps. We’ve seen good progress in the software security space in Europe over the last decade; however now is not the time to be complacent. By prioritising software security, putting it on the boardroom table, and empowering developers, organisations can evolve and reap the benefits of a SecDevOps approach.
John Smith is EMEA Chief Technology Officer at Veracode.