Business Wire

MA-VERACODE

11.1.2023 13:51:42 CET | Business Wire | Press release

Share
Veracode Research Reveals Steps to Reduce Introduction and Accumulation of Security Flaws as Apps Grow and Age

Veracode, a leading global provider of modern application security testing solutions, today revealed data that could save organizations time and money by helping developers minimize the introduction and accumulation of security flaws in their software. The Veracode State of Software Security 2023 report found that flaw build-up over time is such that nearly 32 percent of applications are found to have flaws at the first scan and by the time they have been in production for five years, nearly 70 percent contain at least one security flaw. Veracode has been publishing its annual report since 2010, summarizing the key discoveries from its diverse customer base.

With the cost of a data breach averaging $4.35 million*, teams should prioritize remediation early in the software development life cycle to minimize risk caused by flaw accumulation. Chris Eng, Chief Research Officer at Veracode, said, “As with all our studies, we set out to provide insights that developers can put into action right away. From this year’s findings, two important considerations emerged: how to lower the chance of flaws being introduced in the first place, and how to reduce the number of those flaws that are introduced. Aside from technical access controls, secure coding practices are all the more crucial for cybersecurity in 2023 and beyond.”

No Direct Correlation Between App Growth and Flaw Introduction

After the initial scan, apps quickly enter a ‘honeymoon period’ of stability, and nearly 80 percent do not take on any new flaws at all for the first 1.5 years. After this point, however, the number of new flaws introduced begins to climb again to approximately 35 percent at the five-year mark.

The study found that developer training, use of multiple scan types, including scanning via API, and scan frequency are influential factors in reducing the probability of flaw introduction, suggesting teams should make them key components of their software security programs. For example, skipping months between scans correlates with an increased chance that flaws will be found when a scan is eventually run. Furthermore, top flaws in apps vary by testing type, highlighting the importance of using multiple scan types to ensure hard-to-identify flaws aren’t missed.

The Fragility of Open Source

With heightened focus on the Software Bill of Materials over the past year, Veracode’s research team also examined 30,000 open-source repositories publicly hosted on GitHub. Interestingly, 10 percent of repositories hadn’t had a commit—a change to the source code—for almost six years. Eng said, “Using a software composition analysis (SCA) solution that leverages multiple sources for flaws, beyond the National Vulnerability Database, will give advance warning to teams once a vulnerability is disclosed and enable them to implement safeguards more quickly, hopefully before exploitation begins. Setting organizational policies around vulnerability detection and management is also recommended, as well as considering ways to reduce third-party dependencies.”

An Ounce of Prevention is Worth a Pound of Cure: Steps to Success

Veracode’s research reveals key steps that security and development teams should take:

  • Tackle technical or security debt as early and quickly as possible. The remediation curve must fall earlier and faster because an application will have accumulated flaws by the time it is two years old. Whether through increasing complexity from years of steady growth or diminishing focus on application development, this trend continues upwards, meaning there is a 90 percent chance an application will contain at least one flaw by the 10-year mark. Scanning frequently using a variety of tools helps to find and fix flaws that may have been introduced or built up over time.
  • Prioritize automation and developer security training to provide understanding of which vulnerabilities are most likely to be introduced, as well as techniques to avoid introducing flaws altogether. Overall, the data shows a 27 percent chance that new flaws will be introduced in an application in any given month. Organizations that scan via API reduce this probability to 25 percent. Those that complete 10 Security Labs—a training platform offering hands-on vulnerability detection and remediation experience—also reduce the probability of flaws being introduced by 1.8 percent in any given month.
  • Establish an application lifecycle management protocol that incorporates change management, resource allocation, and organizational controls. Investigate what the supportability and quality control phases look like in your organization. Initial discussions could lead to planned obsolescence for some applications and a review of the processes and quality control measures involved in continuous product engineering.

Jay Jacobs, Co-founder and Data Scientist at The Cyentia Institute, with whom Veracode produced the report, closed, “With Veracode’s State of Software Report, it’s fascinating to examine flaw accumulation and behavior by drawing upon nearly two decades of data. The breadth and depth of the data enables us to not just identify best practices, but also some of the more subtle factors that need to be addressed early in the development process to minimize risk later down the line.”

The Veracode State of Software Security 2023 study analyzed more than three quarters of a million applications across commercial software suppliers, software outsourcers, and open-source projects. The full report is available to download here.

* IBM Security and The Ponemon Institute, “Cost of a Data Breach Report 2022”, July 2022, https://www.ibm.com/downloads/cas/3R8N1DZJ

About the State of Software Security Report

The Veracode State of Software Security 2023 report analyzed data from large and small companies, commercial software suppliers, software outsourcers, and open-source projects. The report contains findings from more than three quarters of a million (759,445) applications that used all scan types, more than a million (1,262,147) dynamic analysis scans, more than seven million (7,522,989) static analysis scans, and more than 18 million (18,473,203) software composition analysis scans. All those scans produced 86 million raw static findings, 3.7 million raw dynamic findings, and 8.5 million raw software composition analysis findings.

About Veracode

Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities. Learn more at www.veracode.com, on the Veracode blog, on LinkedIn, and on Twitter.

Copyright © 2023 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.

To view this piece of content from cts.businesswire.com, please give your consent at the top of this page.

View source version on businesswire.com: https://www.businesswire.com/news/home/20230111005141/en/

About Business Wire

Business Wire
Business Wire
101 California Street, 20th Floor
CA 94111 San Francisco

http://businesswire.com
DK

Subscribe to releases from Business Wire

Subscribe to all the latest releases from Business Wire by registering your e-mail address below. You can unsubscribe at any time.

Latest releases from Business Wire

Garvan Institute of Medical Research Joins Parse Biosciences’ Certified Service Provider Network15.7.2026 22:00:00 CEST | Press release

Researchers across Asia-Pacific gain a new option for high-quality single cell sequencing through Garvan's Evercode WT services Parse Biosciences, a QIAGEN company, and the leader in scalable and accessible single cell sequencing, today announced that the Genomics Platform Core Facility within the Garvan Institute of Medical Research has joined its Certified Service Provider (CSP) Program. The partnership broadens access to high-quality, scalable single cell sequencing across Australia, the wider Asia-Pacific region, and beyond. Garvan is one of Australia's preeminent medical research institutions, with the Genomics Platform having deep experience in cell sorting, capture, and sequencing. As a Certified Service Provider, Garvan will offer Parse's Evercode WT kits to researchers across the region. "We see a growing number of requests for Parse projects and find the technology easy to implement and run, generating great data," said Chris O'Keeffe, Cellular Genomics Lead at the Garvan Ins

Grafana Labs Named a Leader in 2026 Gartner® Magic Quadrant™ for Observability Platforms and Positioned Furthest in Completeness of Vision15.7.2026 20:21:00 CEST | Press release

Named a Leader for the third consecutive year and placed furthest in vision for the second year in a row, the company has had a landmark year of innovation as observability becomes essential infrastructure for teams building and running AI at scale. Grafana Labs, the company behind the open observability cloud, today announced it has been named a Leader in the Gartner® Magic Quadrant™ for Observability Platforms for the third consecutive year, and positioned furthest on the Completeness of Vision axis for the second year running. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260715814984/en/ 2026 Gartner® Magic Quadrant™ for Observability Platforms We believe this placement reflects where the market is headed: toward open, composable observability that helps teams in the AI era understand systems that are increasingly complex and agentic, and rapidly scaling thanks to AI-assisted engineering. A Platform Built for the AI Era

Spectro Cloud Raises $100 Million Series D to Help Customers Move AI Infrastructure Into Production Across Enterprise, Public Sector, Neocloud and Sovereign Cloud Environments15.7.2026 18:20:00 CEST | Press release

Growth Equity at Goldman Sachs Alternatives leads oversubscribed round with strategic participation from AMD Ventures, Ericsson, LG Technology Ventures, and Maximus as organizations look to turn AI silicon into business outcomes Spectro Cloud, a leading provider of AI infrastructure management software, today announced it has raised more than $100 million in an oversubscribed Series D funding round led by Growth Equity at Goldman Sachs Alternatives, with strategic participation from AMD Ventures, Ericsson, LG Technology Ventures, and Maximus. The new funding brings Spectro Cloud’s total capital raised to $260 million and will accelerate the company’s mission to help enterprises, public sector organizations, neoclouds and sovereign clouds build and operate production AI infrastructure with greater control over cost, security and governance. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260715551858/en/ Spectro Cloud raises $

K-Beauty Goes Global: Sales Surge 53% as Korean Innovation Reshapes Beauty Growth15.7.2026 16:00:00 CEST | Press release

New NIQ data shows K-Beauty value sales rose 53% year-over-year and 131% over two years, underscoring how regional beauty trends, social commerce and ingredient-led innovation are reshaping global beauty growth. NIQ (NYSE: NIQ), a global leader in consumer intelligence, today released new findings showing K-Beauty has become a rapidly growing global beauty segment, with value sales up 53% year-over-year and 131% over the past two years. The data points to a broader shift in beauty growth, as regional innovation, social commerce and digitally driven consumer demand increasingly shape what scales globally. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260715867578/en/ K-Beauty accelerates across global markets In its latest report, K-Beauty Goes Global, NIQ shows how Korean beauty is reshaping consumer expectations, accelerating innovation cycles and redefining competitive dynamics across the global beauty market. What began

Viz.ai to Support the MINUTE Trial, a Landmark Multicenter Study Evaluating the SCUBA Technique for the Treatment of Intracerebral Hemorrhage15.7.2026 15:00:00 CEST | Press release

Viz Neuro™ Suite, including Viz ICH™ and Viz ICH Plus™, to facilitate rapid detection and care coordination for patients with basal ganglia hemorrhage across trial sites nationwide. Viz.ai, the leader in AI-powered disease detection and intelligent care coordination, today announced its support for the Minimally Invasive Neurosurgery Trial for Ultra-early Treatment (MINUTE) Trial, a prospective, multicenter, randomized study evaluating whether the SCUBA technique, an endoscopic, catheter-based approach for ultra-early evacuation of basal ganglia intracerebral hemorrhage (BGH), is a promising alternative to standard medical management to potentially improve functional patient outcomes. The study aims to initiate both randomization and surgical intervention within 120 minutes of key clinical time points, reflecting the urgent nature of intracerebral hemorrhage care. Participating sites will have the ability to leverage the Viz Neuro Suite platform, including Viz ICH and Viz ICH Plus, to

In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.

Visit our pressroom
World GlobeA line styled icon from Orion Icon Library.HiddenA line styled icon from Orion Icon Library.Eye