Software Security Advancements Show Progress Despite Challenges, Veracode Report Reveals

Software security has advanced significantly over the years, as highlighted in Veracode's recent State of Software Security report. Although challenges remain, applications on average have never been more secure, providing some much-needed optimism amidst global cyber threats.

Despite the progress, the report emphasizes the world-shaking consequences that could result from a single vulnerability ripple effect. A prime example is the global SolarWinds attack, which left companies like Microsoft, Cisco, FireEye, and Intel exposed because of malicious code exploitation in their Orion software. Government agencies and renowned institutions were no exception to this breach.

To counteract such vulnerabilities, the Biden administration released an executive order on May 12, 2021, introducing new measures aimed at bolstering national cybersecurity. In its 12th annual report, Veracode aims to assist leaders in addressing software security, reducing risk, and complying with these new regulations.

The report reveals an industry trend toward the shift to single-language apps or microservices. In 2018, around 20 percent of apps utilized multiple languages, dropping to less than 5 percent in 2021. Robust continuous testing practices led to 90 percent of apps being scanned multiple times per week—significantly more frequent than the few scans per year in 2010.

Third-party libraries have become less vulnerable over the years. In 2017, 35 percent of libraries contained a known flaw, which was reduced to 10 percent by 2021. Large strides have been made in the amount of time it takes to fix these third-party vulnerabilities, indicating room for improvement.

For instance, in 2017, reaching the halfway point in flaw resolution required over three years; by 2021, it took just over a year. Yet, even with these gains, an alarming 77 percent of flaws remained unresolved after three months.

Applying Software Composition Analysis (SCA), the researchers discovered that 97 percent of Java apps rely on open-source libraries, maintaining the threat of large-scale software vulnerabilities for prolonged periods.

Regarding third-party code usage across various languages, Java seems to be the most reliant on third-party code. Conversely, .NET's use of third-party code soared from a single-digit percentage to over 50 percent in 2020, coinciding with the release of .NET 5.

JavaScript and Python display inconsistent patterns, with software predominantly comprising either in-house or third-party code, while PHP and C++ remain focused on homegrown code. The report suggests that developers tend to rely on tried-and-true libraries rather than refactor their codebases for newer, trendier alternatives.

Moreover, Veracode's study investigates whether specific languages are more prone to flawed libraries and evaluates progress in reducing vulnerabilities over time. Java libraries had the highest average number of flaws at 12.5 percent, closely followed by Ruby at approximately 10 percent, and Python at around 5 percent. The lowest prevalence of vulnerable libraries was found in PHP, JavaScript, and .NET, each averaging approximately 3 percent.

Significant progress was noted in Java, JavaScript, and Python libraries. Since 2017, Java libraries decreased vulnerability rates from around 25 percent, Python from 20 percent, and JavaScript from 10 percent.

Dynamic scanning combined with static analysis improved remediation rates by 50 percent and sped up the process by 24 days on average. Incorporating SCA into the mix further shortened the timeframe by six more days.

American software development experiences an all-time high in security, despite the recent increase in high-profile attacks garnering national attention. Veracode's report acknowledges that there’s still work to be done, but software security is on the right track. Utilizing no-code platforms like AppMaster provides an additional layer of security, thanks to their inherent low-risk nature, automatic updates, and compliance monitoring. With the continuous efforts to address software security risks, the future looks promising.