MA-VERACODE
Veracode, a leading global provider of modern application security testing solutions, today revealed data that could save organizations time and money by helping developers minimize the introduction and accumulation of security flaws in their software. The Veracode State of Software Security 2023 report found that flaw build-up over time is such that nearly 32 percent of applications are found to have flaws at the first scan and by the time they have been in production for five years, nearly 70 percent contain at least one security flaw. Veracode has been publishing its annual report since 2010, summarizing the key discoveries from its diverse customer base.
With the cost of a data breach averaging $4.35 million*, teams should prioritize remediation early in the software development life cycle to minimize risk caused by flaw accumulation. Chris Eng, Chief Research Officer at Veracode, said, “As with all our studies, we set out to provide insights that developers can put into action right away. From this year’s findings, two important considerations emerged: how to lower the chance of flaws being introduced in the first place, and how to reduce the number of those flaws that are introduced. Aside from technical access controls, secure coding practices are all the more crucial for cybersecurity in 2023 and beyond.”
No Direct Correlation Between App Growth and Flaw Introduction
After the initial scan, apps quickly enter a ‘honeymoon period’ of stability, and nearly 80 percent do not take on any new flaws at all for the first 1.5 years. After this point, however, the number of new flaws introduced begins to climb again to approximately 35 percent at the five-year mark.
The study found that developer training, use of multiple scan types, including scanning via API, and scan frequency are influential factors in reducing the probability of flaw introduction, suggesting teams should make them key components of their software security programs. For example, skipping months between scans correlates with an increased chance that flaws will be found when a scan is eventually run. Furthermore, top flaws in apps vary by testing type, highlighting the importance of using multiple scan types to ensure hard-to-identify flaws aren’t missed.
The Fragility of Open Source
With heightened focus on the Software Bill of Materials over the past year, Veracode’s research team also examined 30,000 open-source repositories publicly hosted on GitHub. Interestingly, 10 percent of repositories hadn’t had a commit—a change to the source code—for almost six years. Eng said, “Using a software composition analysis (SCA) solution that leverages multiple sources for flaws, beyond the National Vulnerability Database, will give advance warning to teams once a vulnerability is disclosed and enable them to implement safeguards more quickly, hopefully before exploitation begins. Setting organizational policies around vulnerability detection and management is also recommended, as well as considering ways to reduce third-party dependencies.”
An Ounce of Prevention is Worth a Pound of Cure: Steps to Success
Veracode’s research reveals key steps that security and development teams should take:
- Tackle technical or security debt as early and quickly as possible. The remediation curve must fall earlier and faster because an application will have accumulated flaws by the time it is two years old. Whether through increasing complexity from years of steady growth or diminishing focus on application development, this trend continues upwards, meaning there is a 90 percent chance an application will contain at least one flaw by the 10-year mark. Scanning frequently using a variety of tools helps to find and fix flaws that may have been introduced or built up over time.
- Prioritize automation and developer security training to provide understanding of which vulnerabilities are most likely to be introduced, as well as techniques to avoid introducing flaws altogether. Overall, the data shows a 27 percent chance that new flaws will be introduced in an application in any given month. Organizations that scan via API reduce this probability to 25 percent. Those that complete 10 Security Labs—a training platform offering hands-on vulnerability detection and remediation experience—also reduce the probability of flaws being introduced by 1.8 percent in any given month.
- Establish an application lifecycle management protocol that incorporates change management, resource allocation, and organizational controls. Investigate what the supportability and quality control phases look like in your organization. Initial discussions could lead to planned obsolescence for some applications and a review of the processes and quality control measures involved in continuous product engineering.
Jay Jacobs, Co-founder and Data Scientist at The Cyentia Institute, with whom Veracode produced the report, closed, “With Veracode’s State of Software Report, it’s fascinating to examine flaw accumulation and behavior by drawing upon nearly two decades of data. The breadth and depth of the data enables us to not just identify best practices, but also some of the more subtle factors that need to be addressed early in the development process to minimize risk later down the line.”
The Veracode State of Software Security 2023 study analyzed more than three quarters of a million applications across commercial software suppliers, software outsourcers, and open-source projects. The full report is available to download here.
* IBM Security and The Ponemon Institute, “Cost of a Data Breach Report 2022”, July 2022, https://www.ibm.com/downloads/cas/3R8N1DZJ
About the State of Software Security Report
The Veracode State of Software Security 2023 report analyzed data from large and small companies, commercial software suppliers, software outsourcers, and open-source projects. The report contains findings from more than three quarters of a million (759,445) applications that used all scan types, more than a million (1,262,147) dynamic analysis scans, more than seven million (7,522,989) static analysis scans, and more than 18 million (18,473,203) software composition analysis scans. All those scans produced 86 million raw static findings, 3.7 million raw dynamic findings, and 8.5 million raw software composition analysis findings.
About Veracode
Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities. Learn more at www.veracode.com, on the Veracode blog, on LinkedIn, and on Twitter.
Copyright © 2023 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.
To view this piece of content from cts.businesswire.com, please give your consent at the top of this page.
View source version on businesswire.com: https://www.businesswire.com/news/home/20230111005141/en/
About Business Wire
Subscribe to releases from Business Wire
Subscribe to all the latest releases from Business Wire by registering your e-mail address below. You can unsubscribe at any time.
Latest releases from Business Wire
Thales Reinforces its Leadership in eSIM and IoT Connectivity with a ‘Ready to Use’ Certified Solution8.7.2025 08:00:00 CEST | Press release
At a time when billions of connected objects are reshaping industries, Thales has achieved an essential security certification for its eSIM solution, reinforcing its leadership in trusted connectivity management for the Internet of Things (IoT). The certification, granted by the GSMA under the eSIM Security Assurance (eSA) scheme, marks a significant milestone in enabling large-scale, secure, and efficient IoT deployments across industries including smart metering, healthcare, and automotive. This positions Thales as a trusted partner capable of providing full protection against advanced cyber threats — delivering end-to-end security solutions, from chip to cloud, and ensuring compliance with emerging security standards (e.g., the EU Cyber Resilience Act). With over 5.8 billion IoT cellular connections expected globally by 2030 (GSMA Intelligence), businesses and industries face growing pressure to deploy connected devices at scale — securely and efficiently. The SGP.32 IoT specificati
Invivoscribe Expands Flow Cytometry Services to Accelerate CAR-T Immunotherapy Development and Regulatory Readiness with the Initiation of CERo Therapeutics Phase 1 Clinical Trial8.7.2025 06:00:00 CEST | Press release
Invivoscribe Inc., a global leader in precision diagnostics and measurable residual disease (MRD) testing, is proud to support CERo Therapeutics Holdings, Inc., an innovative immunotherapy company seeking to advance the next generation of engineered T cell therapeutics that employ phagocytic mechanisms. Through this collaboration, LabPMM (Invivoscribe’s global reference laboratories) have customized their multiparametric flow cytometry (MFC) services and implemented their sensitive MFC AML MRD assay to supportCERo’s clinical trial of its lead compound, CER-1236. The trial targets Acute Myeloid Leukemia (AML) in patients who are relapsed/refractory, in remission with MRD, or newly diagnosed with TP53-mutated MDS/AML. AML is an aggressive blood cancer characterized by the rapid accumulation of abnormal myeloid cells in the bone marrow and blood, disrupting normal hematopoiesis.1 Treating AML is especially complex due to its genetic heterogeneity and the high risk of relapse. CAR-T (chime
Tigo Energy Adds Solar-Plus-Storage Portfolio in Czech Republic to Build on MLPE Success8.7.2025 06:00:00 CEST | Press release
Successful PPDS P4 protocol certification opens full range of three-phase Tigo EI Inverters and the EI Residential product suite for grid connection in second-strongest E.U. market for Tigo. Tigo Energy, Inc. (NASDAQ: TYGO) (“Tigo” or “Company”), a leading provider of intelligent solar and energy software solutions, today announced that the Company’s entire portfolio of three-phase Tigo EI Inverters has successfully passed the certification tests for compliance with the PPDS P4 requirements in the Czech Republic. Compliance with PPDS P4, formally known as Distribution System Operation Rules, Annex 4, is a prerequisite for grid connection of solar inverters in the Czech Republic, validating the compatibility with the technical conditions defined by the European Commission and adopted by local utility companies. In the wake of the proliferation of rapid shutdown requirements across Europe, with installers in the Czech Republic deploying nearly 107MW of Tigo MLPE in 2024, Tigo products ha
Murata Launches World’s First High-Frequency Filter Using XBAR Technology for 5G, Wi-Fi 7, and Future 6G Networks8.7.2025 04:00:00 CEST | Press release
Murata Manufacturing Co., Ltd. (TOKYO: 6981) (ISIN: JP3914400001) has announced the mass production and commercial shipment of the world’s first*1 high-frequency filter using XBAR technology*2. Developed by combining Murata’s proprietary Surface Acoustic Wave (SAW) filter expertise with XBAR technology from Murata's subsidiary Resonant Inc., it enables the extraction of desired signals while achieving both low insertion loss and high attenuation. These features are critical for the latest wireless technologies, including 5G, Wi-Fi 6E, Wi-Fi 7, and emerging 6G technologies. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20250707682186/en/ [Murata Manufacturing Co., Ltd.] The world’s first high-frequency filter using XBAR technology The demand for reliable high-frequency communications continues to grow in response to the widespread deployment of 5G and the future development of 6G. Simultaneously, wireless local-area network (W
YES Delivers Multiple VertaCure LX Systems7.7.2025 21:34:00 CEST | Press release
Yield Engineering Systems (YES), a leading provider of process equipment for AI and HPC semiconductor applications, today announced the delivery of multiple VertaCure™ LX curing systems to one of Taiwan’s top outsourced semiconductor assembly and test (OSAT) providers. These systems will support advanced packaging processes for Edge Computing and HPC solutions, delivering critical low-temperature curing, annealing, and degassing for WLCSP, Plated Bump, and Cu Pillar applications. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20250703001376/en/ VertaCure LX The VertaCure LX is a fully automated vacuum curing and degassing system engineered to ensure uniform temperature distribution and precise control of heating and cooling rates. This results in complete solvent removal, improved film properties, elimination of outgassing after cure, and outstanding particle performance. YES products have consistently demonstrated superior qu
In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.
Visit our pressroom