Veracode's State of Software Security report for 2023 found that there is a 27% chance within a given month that security flaws will be introduced into an application. A number of factors were found to affect this chance including scan frequency, method of scanning, amount of developer education, and the application's language. The report also found that JavaScript applications on average have fewer flaws and faster flaw resolution than Java and .NET applications.
The report reviewed all applications scanned within the Veracode platform. One key finding is that the choice of programming language has an effect on the types, quantity, and resolution of flaws. While JavaScript applications still introduce flaws, they tend to be resolved faster. This quicker resolution early in the application's lifecycle leads to an improved resolution trend over time.
On average, four out of every five Java and .NET applications have at least one flaw as compared to JavaScript applications where just over half of the applications have one or more flaws. In addition, Java and .NET applications have nearly twice as many high-severity issues as compared to JavaScript applications.
Also covered were the top types of flaws discovered by the different scans done within the platform. The top issue discovered by static analysis was carriage return line feed (CRLF) injection at 64.8%, followed closely by cryptographic issues (59.8%) and information leakage (59.3%). From dynamic analysis scans, server configuration was the top issue found, with 96.5% of discovered flaws being tagged as configuration issues.
The projects analyzed showed that applications grow by about 40% per year regardless of their initial size. In addition, flaw introduction tends to follow application growth with some exceptions. As the report notes:
Following the initial onboarding of an application we see a rapid decrease. The application then enters what we are calling the "honeymoon period", and for the first couple of years, things are stable. To the contrary, close to 80% of applications do not introduce flaws at all during this early life cycle phase.
Within a given month, an application has a 27% chance of having one or more new flaws introduced and discovered. The report had a number of findings that help to adjust that number up or down. Organizations that scanned their applications via API had a 2% reduction in that probability. The authors posit that scanning via API tends to be a more mature activity and that "we can assume it has other things in place, such as access control to the pipeline".
Having the developers complete training programs saw a 1.8% reduction in the probability of new issues being introduced. On the other side, applications with a higher security debt, measured as a flaw density of one flaw per one megabyte of code, were 2.2% more likely to introduce a defect.
The report has a number of recommendations to help with driving the remediation curve down faster and earlier. The recommendations include prioritizing automation, providing developer security training, and establishing application lifecycle management. For application lifecycle management, the primary goals are ensuring it is clear who owns the application, the purpose the application serves, and when the application should be moved to end-of-life.
For more details from the Veracode State of Software Security 2023 report, readers are directed to the Veracode site.