Software Code Security Analysis Results

My post about creating roadmap charts to describe your software assurance implementation programme are now all live (see Part 1, Part 2 and Part 3) on the OWASP SAMM blog. Back in March, I discussed Veracode's first State of Software Security Report, and amongst other things, asked whether they had data on the secure development lifecycle practices being used by their clients. The second report was published by Veracode on Wednesday.

Volume 2 of this semi-annual report continues and updates the analysis of the results from organisations who uploaded their software code for independent security verification. The data now covers the code-level analysis of over 2,900 web (including mobile) and non-web (e.g. legacy and back-end) applications. But how about that question on secure development practices? The summary says that 60% of their customers are launching a formal, comprehensive security programme for the first time. That's a high proportion just starting, and I wonder whether the remaining 40% already have such programmes in place or whether they don't have anything formal or comprehensive at all. It would be good to have some more details of what security practices these, or the the best companies, are using.

Do read the report. Some other teasers from the report are that 8 out of 10 applications failed to comply with the OWASP Top Ten, cross site scripting (XSS) is the most prevalent vulnerability, third-party code (e.g. components) have the lowest security quality, up to 76% of internally developed came from third-parties, and that the security quality of applications from banking, insurance and other financial service companies was not commensurate with their business criticality—their security is good, but not good enough.

Key take-away: "a robust application security program[me] must incorporate multiple testing methods in order to ensure that applications are assessed with sufficient coverage".