Veracode report shows signs of progress in securing software supply chain


Veracode was recently released Software Security Status Report found a general drop in the number of known security vulnerabilities found in third-party libraries, as well as a trend to more regularly scan for issues in smaller applications. He also finds that the industry still has a long way to go.

The report offers observations on the changing state of software development, common flaws, and advice on the way forward. First, the good news. Of the 600,000 applications scanned, the number of libraries with known security vulnerabilities fell from 35% in 2017 to 10% in 2021. This is likely due to the growing prevalence of security scanning software from commercial vendors like Veracode and Sonatype, as well as efforts like GitHub enables advanced security for all public repositories. Most open source contributors are now familiar with Dependabot Notifications from GitHub known vulnerabilities in their project dependencies.

While encouraging, the reduction in the number of vulnerable libraries still leaves huge exposure. Sonatype State of the software supply chain in 2021 The report shows a 650% year-over-year increase in cyberattacks targeting open-source vendors, and also notes that open-source vulnerabilities are most prevalent in popular projects. the attacker-defender asymmetry means attackers only need to find one vulnerability, while defenders need to secure all possible vulnerabilities.

Veracode research notes a decrease in the number of multilingual projects, indicating the preference for separating applications along language boundaries. They also note that “JavaScript, Python, and .NET have seen a decline in application size, indicating a trend toward more microservices.” Microservices reduce the complexity and attack surface of individual applications, at the possible cost of making an integrated system harder to understand and manage.

Veracode has been producing this report for 12 years, with its most recent report summarizing analyzes of nearly 600,000 apps. The longevity of this report allows them to spot contrasts such as the 20-fold increase in the median frequency of analysis between 2010 and 2021. The move from analysis two to three times a year to analysis at least weekly for 90 % of applications that they believe reflect the integration of security analysis into the development lifecycle, and the move towards Agile and DevSecOps. The report reflects an exponential decrease in the average time between scans, which Veracode says is due to the increased deployment frequency associated with continuous delivery.

Veracode has seen a gradual increase in the number of applications scanned per customer, to 17 new applications per quarter, up from five in 2010. This implies that security scanning is becoming a more natural act and a lighter acceleration for security teams. development as they become more familiar by adding it to the development pipeline. The report points out that integrating tests into the pipeline makes it easier to layer different types of tests to identify different types of defects. For example, static analysis can detect issues such as CRLF and SQL injection faults, but must be supplemented with dynamic analysis to detect issues such as bad server configuration. Veracode has seen a 31% increase in the use of multiple types of scans since 2018.

Since the White House released the Executive Order on Improving the Cybersecurity of Nations Last May, numerous vendor reports drew attention to the challenge of securing the software supply chain. Security is a hugely underserved topic in the IT world, periodically garnering the attention of anxious and impatient executives, while beleaguered security professionals strive to make it easier and more integrated into development.

The Veracode report was co-authored with the Cyentia Institute, a security research and data analysis institute founded by some of the authors of Verizon’s data breach investigation report. Interested readers are invited to download the Software Security Status Report to know more.


Comments are closed.