MA-VERACODE
Veracode, a leading global provider of application security testing solutions, today revealed that the healthcare sector takes first place for the proportion of software security flaws that are fixed, at 27 percent. The sector overtook financial services as the top-performing industry, demonstrating healthcare providers have made good headway toward the goal of making their software more secure over the past year.
The data was published in the company’s annual State of Software Security (SoSS) report v12, which analyzed 20 million scans across half a million applications in the healthcare, financial, technology, manufacturing, retail, and government sectors.
Chris Eng, Chief Research Officer at Veracode, said, “Healthcare is one of the more highly regulated sectors and is considered critical infrastructure by the government, so it’s encouraging to see the sector performs comparatively well in terms of overall flaw remediation. We hope healthcare developers and IT staff see this as a welcome ray of sunshine amidst the all-too-often gloomy realm of software security. There is still work to do, so here’s to more improvements in the years to come.”
Despite taking the top spot for fix rate, 77 percent of applications in the healthcare industry contain vulnerabilities, with 21 percent of applications containing high severity vulnerabilities. The sector also has ample room for improvement in terms of the time spent to fix flaws once they’re detected, taking up to a whopping 447 days to reach the halfway point of remediation.
Healthcare Breach Costs Are the Most Expensive
With healthcare companies incurring the highest average breach costs, at a new record high of $10.1 million*, taking proactive steps to minimize the risk of a cyberattack is imperative. Since data breaches in highly regulated industries tend to be associated with larger long-term costs that accrue over the ensuing years, the industry would benefit from even greater comprehensive efforts to address security earlier in the software development lifecycle.
Of the six industries analyzed, healthcare providers rank toward the bottom for the proportion of applications with any flaws, and second to last for the percentage of high-severity flaws—defined as those that present a serious risk to the application and organization if they were to be exploited. When it comes to the types of flaws discovered from dynamic analysis of applications in the sector, compared to other industries healthcare providers perform well for authentication issues and insecure dependencies, but have a higher incidence of cryptographic and deployment configuration issues.
Eng said, “We know that no application will ever be 100 percent free of security flaws, so it’s important that businesses take all necessary steps to minimize risk as much as possible. This includes scanning at a regular, rapid pace using multiple testing types, integrating testing tools into developer environments, and providing hands-on training to help developers understand the origin of flaws and how to fix or prevent them entirely. The healthcare sector should also take extra care to prioritize critical flaws—those vulnerabilities that could have a catastrophic impact if left unaddressed for too long.”
Andrew McCall, Vice President of Engineering, Azalea Health Innovations, said, “The biggest obstacle to building security into our workflows is that developers will treat security as just a checkbox. But security is an ongoing process and has to be top of mind throughout the software development life cycle. We chose Veracode because it was the easiest and best solution when it comes to integrating into our existing processes.”
Third-party Library Security
Considering a sharp increase in regulations to secure the software supply chain over the past year, the report analyzed third-party libraries to identify how vulnerabilities discovered through software composition analysis (SCA) behave. Overall, around 30 percent of vulnerable libraries remain unresolved after two years; however, that statistic reduces to 25 percent for the healthcare sector. In fact, while the overall ratio of vulnerable libraries found by SCA trends down steadily over time, healthcare experienced a brief upward spike before driving rates down dramatically over the last year or so.
The Veracode State of Software Security v12 healthcare snapshot is available to download here and the full report is available here.
* IBM Security and The Ponemon Institute, “Cost of a Data Breach Report 2022”: https://www.ibm.com/downloads/cas/3R8N1DZJ, July 2022
About the State of Software Security Report
The Veracode State of Software Security (SoSS) v12 analyzed the full historical data from Veracode services and customers. This accounts for a total of more than half a million applications (592,720) that used all scan types, more than a million dynamic analysis scans (1,034,855), more than five million static analysis scans (5,137,882) and more than 18 million software composition analysis scans (18,473,203). All those scans produced 42 million raw static findings, 3.5 million raw dynamic findings, and six million raw SCA findings.
The data represents large and small companies, commercial software suppliers, software outsourcers, and open-source projects. In most analyses, an application was counted only once, even if it was submitted multiple times as vulnerabilities were remediated, and new versions uploaded.
About Veracode
Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities. Learn more at www.veracode.com, on the Veracode blog and on Twitter.
Copyright © 2022 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.
To view this piece of content from cts.businesswire.com, please give your consent at the top of this page.
View source version on businesswire.com: https://www.businesswire.com/news/home/20220922005100/en/
About Business Wire
Subscribe to releases from Business Wire
Subscribe to all the latest releases from Business Wire by registering your e-mail address below. You can unsubscribe at any time.
Latest releases from Business Wire
Enginzyme and AGC Create Scalable Process for Key mRNA Ingredient12.1.2026 06:00:00 CET | Press release
At the mRNA Health conference in Berlin, enginzyme and AGC Inc. presented a scalable process to produce a key mRNA vaccine and therapy ingredient, N1-methylpseudouridine-5'-triphosphate (m¹ΨTP). The rapid growth of mRNA-based vaccines and therapeutics has driven significant demand for modified nucleotides like m¹ΨTP, which enhances mRNA stability and expression, while reducing immunogenicity. Enginzyme is a deep-tech company delivering optimized biomanufacturing solutions through cell-free enzyme engineering technology. AGC Inc. is a leading global player in fields spanning from architectural glass to chemicals and life science. AGC Inc. provides services in a wide range of life science fields, from synthetic pharmaceuticals and agrochemicals, to biopharmaceuticals and leading-edge cell and gene therapies, as well as messenger RNAs. The presentation in November detailed the latest collaboration between the companies, with a focus on the biomanufacturing of nucleotides for mRNA therapy,
Ant International Partners with Google’s Universal Commerce Protocol to Expand AI Capabilities12.1.2026 02:15:00 CET | Press release
Ant International, a leading global payment, digitisation, and financial technology provider, is collaborating on the launch of Google’s Universal Commerce Protocol (UCP), a new open standard for agentic commerce that works across the entire shopping journey — from discovery and buying to post-purchase support. UCP establishes a common language for agents and systems to operate together across consumer surfaces, businesses, and payment providers to enable commerce. So instead of requiring unique connections for every individual agent, UCP enables all agents to interact easily. UCP is built to work across verticals and is compatible with existing industry protocols like Agent2Agent (A2A), Agent Payments Protocol (AP2), and Model Context Protocol (MCP). “For agentic commerce to scale, it’s critical for the industry to align on a common set of standards. We are proud to have Ant International endorse the Universal Commerce Protocol as the foundation for that future,” said Ashish Gupta, VP
Torq Secures $140M Series D at $1.2B Valuation to Lead the AI SOC and Agentic AI Era11.1.2026 17:59:00 CET | Press release
Fueled by Massive Customer Adoption of AI Agents, Torq Scales the World’s First True AI SOC Platform and Accelerates Expansion into the U.S. Federal Market Torq, the established Agentic AI security operations pioneer, today announced it has closed a massive $140 million Series D funding round, propelling its valuation to $1.2 billion and total funding to $332M. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260112510774/en/ Led by Merlin Ventures—a leading cybersecurity fund renowned for its deep access to the U.S. commercial and Public Sector markets—with participation from all existing investors, including Evolution Equity Partners, Notable Capital, Bessemer Venture Partners, Insight Ventures Partners, and Greenfield Partners, this capital injection is a definitive investment in the future of security. Torq is driving the industry’s critical shift: the complete transformation of the Security Operations Center (SOC) through
Andersen udvider sine kompetencer med tilføjelsen af Scimitar9.1.2026 21:44:00 CET | Pressemeddelelse
Andersen Consulting har indgået en samarbejdsaftale med Scimitar, der er et firma med fokus på at accelerere innovation i biovidenskabsbranchen. Scimitar, der har hovedkvarter i USA, et førende konsulenthus inden for strategieksekvering for biovidenskabsbranchen. Virksomheden er specialiseret i design af driftsmodeller, digital transformation og organisatorisk forandring. Scimitar samarbejder med medicinal- og biotech-virksomheder om at accelerere innovation, styrke den driftsmæssige eksekvering og sikre compliance gennem hele produkters livscyklus. Deres praktiske og samarbejdsorienterede tilgang sikrer løsninger, der ikke blot er formålstjenlige, men også skalerbare. "Virksomheder inden for biovidenskabsbranchen befinder sig i en tid med hurtige videnskabelige fremskridt, stigende regulatorisk kompleksitet og et voksende behov for operationel agilitet, samtidig med at de holdes op mod de højeste standarder for patientsikkerhed og dataintegritet," udtaler Ramy Khalil, CEO i Scimitar.
Biocytogen and Acepodia Expand Collaboration Through Option-based Evaluation Framework for First-in-Class Bispecific and Dual-Payload ADCs (BsAD2C)9.1.2026 13:00:00 CET | Press release
Expanded collaboration builds on Acepodia and Biocytogen’s recent co-development efforts to evaluate selected bispecific antibody and dual-payload ADC programs Biocytogen Pharmaceuticals (Beijing) Co., Ltd. (Biocytogen, SSE: 688796; HKEX: 02315) and Acepodia (6976:TT), today announced that the companies have entered into an option and license agreement designed to enable the structured evaluation of bispecific antibody-drug conjugate (BsADC) programs to further advance the development of dual-payload bispecific antibody-drug conjugates (BsAD2Cs). The agreement grants Acepodia an option to obtain an exclusive worldwide license from Biocytogen for two BsADC programs. Under the terms of the agreement, Biocytogen is eligible to receive an upfront option fee and, upon Acepodia’s exercise of the option, additional payments including option exercise fees, development, regulatory, and commercial milestone payments, as well as royalties on future product sales. The financial terms of the agreem
In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.
Visit our pressroom