Over a million developers have joined DZone.

Yes, Developers Care About Security

DZone's Guide to

Yes, Developers Care About Security

But there's plenty of room for improvement across organizations. Perhaps this needs to be a C-suite initiative rather than an IT or CISO initiative?

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

CA Veracode has just published its annual State of Software Security (SOSS) report which analyzes data from 400,000 application scans from April 1, 2016 to March 31, 2017. The applications were written in more than a dozen programming languages for large and small organizations across a wide range of industries.

A key finding is that most developers don't try to game the system by rejecting findings as false positives, or as mitigated by design. Developers documented mitigations for just 14.4% of all the flaws found by the CA Veracode platform.

Other key takeaways for developers:

  1. Applications passed the OWASP Top 10 only 30% of the time. This is consistent with the previous four SOSS reports.

  2. Java, at 43.2%, and .NET, at 32.7% were the most frequently scanned languages.

  3. Many of the same types of vulnerabilities keep cropping up at the same rate. SQL injection flaws appeared in nearly 28% of newly scanned apps in 2017 and were detected in about one-third of applications for the last five SOSS reports.

  4. Every language shows a statistically significant incidence on the first scan for some of the highest impact vulnerabilities including cross-site scripting, credentials management, SQL injection, and cryptographic issues.

  5. Even once AppSec programs are put into place, it takes meaningful engagement across software engineering, security, and operations teams to make improvements. Fewer than one-third of flaws were closed in 90 days or less and 42% of flaws were not closed in a year.

  6. Organizations are making progress in reducing the number of applications with the highest severity flaws. Between the first security test and the latest scan, the rate of applications with "high" and "very high" severity vulnerabilities declined by 26%.

  7. The longer developers and security teams work together to improve application security, the better they get. Organizations with AppSec programs in place for 10 years have an all-time OWASP Top 10 pass-rate that's 35% higher than those with programs in place for a year or less.

If you'd like to learn more about the details, you can download the report here.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,appsec ,sql injection ,vulnerabilities ,owasp

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}