In Volume 4 of State of Software Security Report additional analysis has been possible due to the larger data set available. In this volume emphasis is given to the analysis of the (primarily US?) governmental sector, as well as more data on the effect of developer training and education on software security. On this Veracode report that a "high level of application security knowledge also delivered higher security quality applications". That's encouraging since developer training is one of the first areas where effort should be expended in creating a secure software development lifecycle programme.
On of the other interesting conclusions was the potential fast turnaround for remediation and re-testing to solve problems suggesting that "development agility and application security are not mutually exclusive".
Cross-site scripting continues to be the most prevalent vulnerability overall — there was an interesting discussion last week about what this means in terms of business impact on the Web Application Security - From the Start blog.
Volume 4 also includes some initial results on static code analysis of Android applications. If you are developing mobile applications, do read the OWASP Mobile Security Project's Top 10 Mobile Controls and Design Principles.
Posted on: 06 January 2012 at 21:17 hrs