Veracode report shows signs of progress in securing software supply chain


Veracode’s recently released Software Security Status Report revealed a general decline in the number of known security vulnerabilities found in third-party libraries, as well as a trend to scan smaller applications for issues more regularly. He also finds that the industry still has a long way to go.

The report offers observations on the changing state of software development, common flaws, and advice on the way forward. First, the good news. Of the 600,000 applications scanned, the number of libraries with known security vulnerabilities fell from 35% in 2017 to 10% in 2021. This is likely due to the growing prevalence of security scanning software from commercial vendors like Veracode and Sonatype, as well as efforts such as GitHub enabling advanced security for all public repositories. Most open source contributors are now familiar with GitHub’s Dependabot notifications of known vulnerabilities in their projects’ dependencies.

While encouraging, the reduction in the number of vulnerable libraries still leaves huge exposure. Sonatype’s 2021 State of the Software Supply Chain report indicated a 650% year-over-year increase in cyberattacks targeting open source vendors, and also notes that open source vulnerabilities are the most prevalent in popular projects. The attacker-defender asymmetry means that attackers only need to find one vulnerability, while defenders need to secure all possible vulnerabilities.

Veracode research notes a decrease in the number of multilingual projects, indicating the preference for separating applications along language boundaries. They also note that “JavaScript, Python, and .NET have seen a decline in application size, indicating a trend toward more microservices.” Microservices reduce the complexity and attack surface of individual applications, at the possible cost of making an integrated system harder to understand and manage.

Veracode has been producing this report for 12 years, with its most recent report summarizing analyzes of nearly 600,000 apps. The longevity of this report allows them to spot contrasts such as the 20-fold increase in the median frequency of analysis between 2010 and 2021. The move from analysis two to three times a year to analysis at least weekly for 90 % of applications that they believe reflect the integration of security analysis into the development lifecycle, and the move towards Agile and DevSecOps. The report reflects an exponential decrease in the average time between scans, which Veracode says is due to the increased deployment frequency associated with continuous delivery.

Veracode has seen a gradual increase in the number of applications scanned per customer, to 17 new applications per quarter, up from five in 2010. This implies that security scanning is becoming a more natural act and a lighter acceleration for security teams. development as they become more familiar by adding it to the development pipeline. The report points out that integrating tests into the pipeline makes it easier to layer different types of tests to identify different types of defects. For example, static analysis can detect issues such as CRLF and SQL injection faults, but it must be supplemented with dynamic analysis to detect issues such as server misconfiguration. Veracode has seen a 31% increase in the use of multiple types of scans since 2018.

Since the White House issued the Enhancing the Cybersecurity of Nations Executive Order last May, numerous vendor reports have drawn attention to the challenge of securing the software supply chain. Security is a hugely underserved topic in the IT world, periodically garnering the attention of anxious and impatient executives, while beleaguered security professionals strive to make it easier and more integrated into development.

The Veracode report was co-authored with the Cyentia Institute, a security research and data analysis institute founded by some of the authors of Verizon’s data breach investigation report. Interested readers are encouraged to download the Software Security Status Report to learn more.


Comments are closed.