Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Veracode Report Shows Signs of Progress in Securing Software Supply Chain

Veracode Report Shows Signs of Progress in Securing Software Supply Chain

This item in japanese

Veracode's recently released State of Software Security report found a general decline in the number of known security vulnerabilities found in third-party libraries along with a trend towards smaller applications being scanned more regularly for issues. It also finds that the industry still has a long way to go.

The report offers observations on the changing state of software development, common flaws, and advice on a path forward. First, the good news. Out of the 600,000 applications scanned, the number of libraries that contained known security vulnerabilities has declined from 35% in 2017 to 10% in 2021. This is likely due to the increasing prevalence of security scanning software from commercial providers like Veracode and Sonatype, as well as efforts like GitHub's enabling Advanced Security for all public repositories. Most open-source contributors are now familiar with GitHub's Dependabot notifications of known vulnerabilities in their projects' dependencies.

While encouraging, the reduction in the number of vulnerable libraries still leaves an enormous exposure. Sonatype's 2021 State of the Software Supply Chain report indicated a 650% year-over-year increase of cyberattacks aimed at open-source suppliers, and also notes that open-source vulnerabilities are most pervasive in popular projects. The attacker-defender asymmetry means that attackers only need to find one vulnerability, whereas defenders need to secure all possible vulnerabilities.

Veracode's research notes a declining number of multi-language projects, indicating the preference to separate apps along language boundaries. They also note that "JavaScript, Python, and .NET have seen declines in app sizes, indicating a trend toward more microservices." Microservices reduce the complexity and attack surface of individual applications, at the possible cost of making an integrated system more difficult to understand and manage.

Veracode has produced this report for 12 years, with its most recent report summarizing scans from almost 600,000 applications. The longevity of this report allows them to spot contrasts such as the 20x increase in median scan frequency between 2010 and 2021. The movement from scanning two to three times per year to scanning at least weekly for 90% of apps which they say reflects the integration of security scanning into the development lifecycle, and the move towards agile and DevSecOps. The report reflects an exponential decrease in the mean time between scans, which Veracode posits is due to the rise in deployment frequency associated with continuous delivery.

Veracode observed a gradual increase in the number of applications scanned per customer, growing to 17 new apps per quarter, up from five in 2010. This implies that security scanning is becoming a more natural act and a lighter lift for development teams as they gain familiarity with adding it into the development pipeline. The report points out that building tests into the pipeline makes it easier to layer in different types of tests to identify different types of flaws. For example, static analysis can detect issues like CRLF and SQL injection flaws, but it needs to be complemented with dynamic analysis to detect issues like server misconfiguration. Veracode found a 31% increase in the use of multiple types of scans since 2018.

Since the White House issued the Executive Order on Improving the Nations Cybersecurity last May, there's been a flurry of reports from vendors directing attention to the challenge of securing the software supply chain. Security is a critically underserved topic in the IT world, receiving periodic bursts of attention from anxious and impatient executives while beleaguered security pros labor to make it easier and more integrated into development.

The Veracode report was co-written with the Cyentia Institute, a security research and data analysis institute founded by some of the authors of Verizon's Data Breach Investigations Report. Interested readers are encouraged to download the State of Software Security report to read more.

About the Author

Rate this Article