TechSpective Podcast Chris Eng Veracode

Chris Eng Talks about the State of Software Security Report

TechSpective Podcast Episode 050

“Every company is a software company.”

That is the quote that kicks off the Executive Summary page of the latest State of Software Security Report from Veracode. This is Volume 11 of the report, with a focus on looking ahead to identify how developers can continue to make applications better and more secure.

Obviously, some companies produce microwave ovens, and some businesses repair garage doors. In a purely technical sense, not every company is a software company. But, the point of the quote is that, increasingly, no matter what industry a business is in, software and application development play an integral role. Domino’s Pizza has famously declared itself a “tech company that sells pizza.

So, what insights are revealed in Volume 11 of the State of Software Security report? I’m glad you asked. A press release from Veracode shared the following key findings from the report:

Flawed applications are the norm: 76% of applications have at least one security flaw, but only 24% have high-severity flaws. This is a good sign that most applications do not have critical issues that pose serious risks to the application. Frequent scanning can reduce the time it takes to close half of observed findings by more than three weeks.

Open source flaws on the rise: while 70% of applications inherit at least one security flaw from their open source libraries, SOSS 11 also found that 30% of applications have more flaws in their open source libraries than in the code written in-house. The key lesson is that software security comes from getting the whole picture, which includes identifying and tracking the third-party code used in applications.

Multiple scan types prove efficacy of DevSecOps: teams using a combination of scan types including static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA) improve fix rates. Those using SAST and DAST together fix half of flaws 24 days faster.

Automation matters: those who automate security testing in the SDLC address half of the flaws 17.5 days faster than those that scan in a less automated fashion.

Paying down security debt is critical: the link between frequently scanning applications and faster remediation times has been established in Veracode’s prior State of Software Security research. This year’s report also found that reducing security debt – fixing the backlog of known flaws – lowers overall risk. SOSS 11 found that older applications with high flaw density experience much slower remediation times, adding an average of 63 days to close half of flaws.

My guest for this episode of the TechSpective Podcast is someone uniquely qualified to talk about that very thing: Chris Eng, Chief Research Officer for Veracode.

This year’s report includes data analyzed from more than 130,000 applications–an increase of more than 50% over the previous State of Software Security report. One of the things Eng touches on in our discussion is the topic of nature vs. nurture when it comes to application security, as well as the fact that using multiple application security scan types, and leveraging automated scanning both contribute to accelerating the remediation effort and improving application security in general.

Don’t take my word for it. You can download Volume 11 of the State of Software Security report to check out for yourself by clicking here.

Please ask questions and share your thoughts on the topic in the comments below. I appreciate your help to share the podcast and grow the audience. Also, please subscribe to the TechSpective podcast through your favorite podcast platform, and share the podcast with your peers and friends.

If you enjoy the podcast, I would also be grateful if you could take 2 minutes to rate and review the podcast on iTunes, or wherever you listen.

Take care and stay safe.

Scroll to Top