The security of software depends more than ever on developers. With the rise of DevOps, developers are releasing code continuously, and application security testing is shifting "left" to become the developer's responsibility. That means developers need the right skills, tools, and support from their security teams to create code that's secure, not just functional.
We recently published our annual research report, the State of Software Security, analyzing data from 400,000 application scans over 12 months spanning 2016 and 2017. Now we're issuing a [State of Software Security Developer Guide], featuring additional data and analysis aimed at helping developers meet the goal of creating secure code. This report offers developer and security communities more information about secure coding best practices, what practices make the biggest impact on application security, and what organizations should do to better support developers in their endeavor to make great software that's also secure software.
Here are the major takeaways from the report, along with CA Veracode's recommendations for making security a seamless part of your development and DevSecOps processes.
Developers aren't trained in secure coding
Traditionally, the focus for developers is creating functional, rather than secure code. CA Veracode research shows that the pass rate of applications against standards like the OWASP Top 10 hasn't budged in recent years, with applications failing policy consistently around 70 percent of the time on the initial scan. When we looked at the prevalence of major vulnerability categories like SQL injection in initial application scans, we see a similar consistency over time. If SQL injection, and other flaws like credentials management, are continuing to show up at the same rate during development, that indicates developer education programs still aren't providing secure coding training.
Even though security defects are being introduced during the initial coding phase, the good news is that developers are fixing security flaws after the initial test--indicating that they do understand the importance of releasing secure code. And as application security programs mature, developers and security teams are getting better at stomping out these common flaws at a higher rate. Mature application security programs have a 35 percent higher OWASP pass rate than programs just starting out.
Developers take security testing seriously.