How Secure is the Software that Powers Your World?

**Veracode presents an in-depth view of valuable application security statistics through the State of Software Security (SOSS).** The metrics presented here are drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the last 18 months.

Explore Statistics Below

SECURE APPLICATIONS

PERFORMANCE STATS

FIXING VULNERABILITIES

VIEW FULL SoSS REPORT

SECURING Your Applications

Applications are not living up to minimal security standards, when they are first assessed.

Explore Statistics Below

Percent of Applications Passing Each Policy

Despite best efforts, applications still aren’t meeting the most basic standards of security.

61.4%

38.6%

65.8%

34.2%

OWASP Top 10

CWE/SANS 25

Did not pass

Passed

74.6^%

in 2016

72^%

in 2015

Purchasing Software Does Not Make You More Secure.

74.6% of commercially developed applications did not pass (OWASP).

That’s up from 72% in 2015.

Internally Developed Applications

Internally developed apps are slowly becoming more secure. 61.1% of internally developed applications did not pass (OWASP).

That’s down from 63% in 2015

Which type of vulnerability is found in more applications?

SQLi

XSS

Directory Traversal

Credential Management

CORRECT!

XSS were found in 49.6% of apps, while SQLi was found in 32.2%

INCORRECT!

XSS were found in 49.6% of apps, while SQLi was found in 32.2%

Industry Benchmarks

Which industries are improving, and how does your security compare to your peers?

Explore Statistics Below

All industries with the exception of financial services have improved their OWASP pass rates.

OWASP policy compliance by industry vertical

Did not pass

Passed

Passed in 2015

Financial Services

60.9%

39.1%

42%

Government

74.9%

25.1%

24%

Healthcare

66.7%

33.3%

31%

Manufacturing

61.3%

38.7%

35%

Other

59.3%

40.7%

30%

Retail and Hospitality

62.4%

37.6%

30%

Technology

61.9%

38.1%

32%

Did not pass

Passed

Passed in 2015

Fixing Your Vulnerabilities

When it comes to fixing vulnerabilities found in applications and software, manufacturing wins.

Explore Statistics Below

Finding vulnerabilities isn’t uncommon when an application is first assessed. The important thing is to fix what is found. However, our research discovered an unevenness between industries in regards to fixing known vulnerabilities.

OWASP policy compliance by industry vertical

Adj Fixed v6

Adjusted Fixed % 2016

Reopen %

Financial Services

50.8%

58.6%

22.4%

Manufacturing

65.5%

70.8%

14.9%

Government

57.7%

57.4%

25%

Healthcare

34.4%

34.1%

7.2%

Retail & Hospitality

57.3%

67.2%

23.2%

Other

40.1%

36%

15.8%

Technology

42.4%

42.2%

12.6%

Adj Fixed v6

Adjusted Fixed % 2016

Reopen %

Components are increasing speed and risk

What percent of Java applications assessed had at least one component with a known vulnerability?

10%

10%

25%

25%

50%

75%

More than 95%

INCORRECT!

97% of all Java applications assessed had at least one component with a known vulnerability.

Failing to upgrade components to the latest version increases risk over time. That means every non-maintained application becomes at more risk as time goes by.

How are companies reducing risk?

Companies are not assessing applications often enough

40%

60%

7

2

Only one
scan

Rescanned at least once

Avg # of scans per app

Median # of scans per app

What happens when companies re-scanned apps?

When companies do re-scan we find that flaw-density decreases.

Apps only assessed once had a higher flaw density than apps scanned multiple times.

67.34%

1st Scan

35.92%

Re-scan

Reduction in Flaw Density

via remediation coaching

69%

39%

44%

60%

22%

64%

No readout requested

Readout requested

1st Scan

Last Scan

% Reduction

1.45x Difference

VIA eLEARNING

46%

42%

68%

31%

55%

No subscription

with subscription

1st Scan

Last Scan

% Reduction

6x Difference

CORRECT!

97% of all Java applications assessed had at least one component with a known vulnerability.

Failing to upgrade components to the latest version increases risk over time. That means every non-maintained application becomes at more risk as time goes by.

How are companies reducing risk?

Companies are not assessing applications often enough

40%

60%

7

2

Only one
scan

Rescanned at least once

Avg # of scans per app

Median # of scans per app

What happens when companies re-scanned apps?

When companies do re-scan we find that flaw-density decreases.

Apps only assessed once had a higher flaw density than apps scanned multiple times.

67.34%

1st Scan

35.92%

Re-scan

Reduction in Flaw Density

via remediation coaching

69%

39%

44%

60%

22%

64%

No readout requested

Readout requested

1st Scan

Last Scan

% Reduction

1.45x Difference

VIA eLEARNING

46%

42%

68%

31%

55%

No subscription

with subscription

1st Scan

Last Scan

% Reduction

6x Difference

WHAT DOES ALL OF THIS MEAN?

Overall the state of software security is improving. But given the critical role applications play in powering our world and our lives, there is still much to be done.

No single technology will solve the root causes of vulnerable applications. And traditional security measures are failing. A different approach to application security – one that aligns with the new role of software and today’s development paradigms – is now key to effective information security.

Veracode presents an in-depth view of valuable application security statistics through the State of Software Security (SOSS). The metrics presented here are drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the last 18 months.

Applications are not living up to minimal security standards, when they are first assessed.

Percent of Applications Passing Each Policy

Despite best efforts, applications still aren’t meeting the most basic standards of security.

74.6%

in 2016

72%

Purchasing Software Does Not Make You More Secure.

74.6% of commercially developed applications did not pass (OWASP).

That’s up from 72% in 2015.

Internally Developed Applications

Internally developed apps are slowly becoming more secure. 61.1% of internally developed applications did not pass (OWASP).

That’s down from 63% in 2015

Which type of vulnerability is found in more applications?

CORRECT!

XSS were found in 49.6% of apps, while SQLi was found in 32.2%

INCORRECT!

XSS were found in 49.6% of apps, while SQLi was found in 32.2%

Which industries are improving, and how does your security compare to your peers?

All industries with the exception of financial services have improved their OWASP pass rates.

OWASP policy compliance by industry vertical

60.9%

39.1%

42%

74.9%

25.1%

24%

66.7%

33.3%

31%

61.3%

38.7%

35%

59.3%

40.7%

30%

62.4%

37.6%

30%

61.9%

38.1%

32%

When it comes to fixing vulnerabilities found in applications and software, manufacturing wins.

Finding vulnerabilities isn’t uncommon when an application is first assessed. The important thing is to fix what is found. However, our research discovered an unevenness between industries in regards to fixing known vulnerabilities.

OWASP policy compliance by industry vertical

50.8%

58.6%

22.4%

65.5%

70.8%

14.9%

57.7%

57.4%

25%

34.4%

34.1%

7.2%

57.3%

67.2%

23.2%

40.1%

36%

15.8%

42.4%

42.2%

12.6%

What percent of Java applications assessed had at least one component with a known vulnerability?

INCORRECT!

97% of all Java applications assessed had at least one component with a known vulnerability.

How are companies reducing risk?

Companies are not assessing applications often enough

40%

60%

7

2

When companies do re-scan we find that flaw-density decreases.

67.34%

35.92%

Reduction in Flaw Density

1.45x Difference

**Veracode presents an in-depth view of valuable application security statistics through the State of Software Security (SOSS).** The metrics presented here are drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the last 18 months.

74.6^%

72^%