Business Wire

Veracode Research Reveals Steps to Reduce Introduction and Accumulation of Security Flaws as Apps Grow and Age


Veracode, a leading global provider of modern application security testing solutions, today revealed data that could save organizations time and money by helping developers minimize the introduction and accumulation of security flaws in their software. The Veracode State of Software Security 2023 report found that flaw build-up over time is such that nearly 32 percent of applications are found to have flaws at the first scan and by the time they have been in production for five years, nearly 70 percent contain at least one security flaw. Veracode has been publishing its annual report since 2010, summarizing the key discoveries from its diverse customer base.

With the cost of a data breach averaging $4.35 million*, teams should prioritize remediation early in the software development life cycle to minimize risk caused by flaw accumulation. Chris Eng, Chief Research Officer at Veracode, said, “As with all our studies, we set out to provide insights that developers can put into action right away. From this year’s findings, two important considerations emerged: how to lower the chance of flaws being introduced in the first place, and how to reduce the number of those flaws that are introduced. Aside from technical access controls, secure coding practices are all the more crucial for cybersecurity in 2023 and beyond.”

No Direct Correlation Between App Growth and Flaw Introduction

After the initial scan, apps quickly enter a ‘honeymoon period’ of stability, and nearly 80 percent do not take on any new flaws at all for the first 1.5 years. After this point, however, the number of new flaws introduced begins to climb again to approximately 35 percent at the five-year mark.

The study found that developer training, use of multiple scan types, including scanning via API, and scan frequency are influential factors in reducing the probability of flaw introduction, suggesting teams should make them key components of their software security programs. For example, skipping months between scans correlates with an increased chance that flaws will be found when a scan is eventually run. Furthermore, top flaws in apps vary by testing type, highlighting the importance of using multiple scan types to ensure hard-to-identify flaws aren’t missed.

The Fragility of Open Source

With heightened focus on the Software Bill of Materials over the past year, Veracode’s research team also examined 30,000 open-source repositories publicly hosted on GitHub. Interestingly, 10 percent of repositories hadn’t had a commit—a change to the source code—for almost six years. Eng said, “Using a software composition analysis (SCA) solution that leverages multiple sources for flaws, beyond the National Vulnerability Database, will give advance warning to teams once a vulnerability is disclosed and enable them to implement safeguards more quickly, hopefully before exploitation begins. Setting organizational policies around vulnerability detection and management is also recommended, as well as considering ways to reduce third-party dependencies.”

An Ounce of Prevention is Worth a Pound of Cure: Steps to Success

Veracode’s research reveals key steps that security and development teams should take:

  • Tackle technical or security debt as early and quickly as possible. The remediation curve must fall earlier and faster because an application will have accumulated flaws by the time it is two years old. Whether through increasing complexity from years of steady growth or diminishing focus on application development, this trend continues upwards, meaning there is a 90 percent chance an application will contain at least one flaw by the 10-year mark. Scanning frequently using a variety of tools helps to find and fix flaws that may have been introduced or built up over time.
  • Prioritize automation and developer security training to provide understanding of which vulnerabilities are most likely to be introduced, as well as techniques to avoid introducing flaws altogether. Overall, the data shows a 27 percent chance that new flaws will be introduced in an application in any given month. Organizations that scan via API reduce this probability to 25 percent. Those that complete 10 Security Labs—a training platform offering hands-on vulnerability detection and remediation experience—also reduce the probability of flaws being introduced by 1.8 percent in any given month.
  • Establish an application lifecycle management protocol that incorporates change management, resource allocation, and organizational controls. Investigate what the supportability and quality control phases look like in your organization. Initial discussions could lead to planned obsolescence for some applications and a review of the processes and quality control measures involved in continuous product engineering.

Jay Jacobs, Co-founder and Data Scientist at The Cyentia Institute, with whom Veracode produced the report, closed, “With Veracode’s State of Software Report, it’s fascinating to examine flaw accumulation and behavior by drawing upon nearly two decades of data. The breadth and depth of the data enables us to not just identify best practices, but also some of the more subtle factors that need to be addressed early in the development process to minimize risk later down the line.”

The Veracode State of Software Security 2023 study analyzed more than three quarters of a million applications across commercial software suppliers, software outsourcers, and open-source projects. The full report is available to download here.

* IBM Security and The Ponemon Institute, “Cost of a Data Breach Report 2022”, July 2022,

About the State of Software Security Report

The Veracode State of Software Security 2023 report analyzed data from large and small companies, commercial software suppliers, software outsourcers, and open-source projects. The report contains findings from more than three quarters of a million (759,445) applications that used all scan types, more than a million (1,262,147) dynamic analysis scans, more than seven million (7,522,989) static analysis scans, and more than 18 million (18,473,203) software composition analysis scans. All those scans produced 86 million raw static findings, 3.7 million raw dynamic findings, and 8.5 million raw software composition analysis findings.

About Veracode

Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities. Learn more at, on the Veracode blog, on LinkedIn, and on Twitter.

Copyright © 2023 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.

To view this piece of content from, please give your consent at the top of this page.

Contact information

For more information:
Katy Gwilliam

About Business Wire

Business Wire
Business Wire
24 Martin Lane
EC4R 0DR London

+44 20 7626 1982

(c) 2018 Business Wire, Inc., All rights reserved.

Business Wire, a Berkshire Hathaway company, is the global leader in multiplatform press release distribution.

Subscribe to releases from Business Wire

Subscribe to all the latest releases from Business Wire by registering your e-mail address below. You can unsubscribe at any time.

Latest releases from Business Wire

Takeda Completes Acquisition of Nimbus Therapeutics’ TYK2 Program Subsidiary9.2.2023 00:30:00 CET | Press release

Takeda (TSE:4502/NYSE:TAK) today announced that it has completed an acquisition of all shares of Nimbus Lakshmi, Inc. (“Lakshmi”) from Nimbus Therapeutics, LLC (“Nimbus”), on February 8, 2023 (EST), as set forth in the share purchase agreement, following clearance from the United States Federal Trade Commission and a satisfaction of other closing conditions. The agreement had been announced on December 13, 2022: “Takeda to Acquire 100% Ownership of Nimbus Therapeutics’ TYK2 Program Subsidiary”. Following the completion of this transaction, Takeda has now acquired TAK-279, formerly known at Nimbus as NDI-034858. With Phase 2b data to be presented in Q4 FY2022 and Phase 3 study in psoriasis expected to start in 2023, TAK-279 has the potential to demonstrate best-in-class efficacy, safety and convenience in psoriasis as well as multiple other immune-mediated diseases, including inflammatory bowel disease, psoriatic arthritis and systemic lupus erythematosus. This acquisition strengthens T

O-RAN ALLIANCE Events and Demos at MWC Barcelona Showcasing O-RAN Ecosystem Progress9.2.2023 00:24:00 CET | Press release

Join us for O-RAN ALLIANCE Ecosystem Briefing, February 28, 2023 at MWC Barcelona This press release features multimedia. View the full release here: O-RAN ALLIANCE plans to hold its next industry event on Tuesday, February 28, 2023 from 15:30-16:30 CET at the Deutsche Telekom booth (Hall 3, Stand 3M31). The event will include: An update on O-RAN’s progress and future directions by Alex Jinsung Choi, Chair of the Board of O-RAN ALLIANCE and SVP Group Technology at Deutsche TelekomStefan Engel-Flechsig, O-RAN ALLIANCE COO Views on important areas supporting widespread adoption of open RAN, featuring leading operators from Asia, Europe and the Americas: Open RAN testing and integration – by Chih-Lin I, Chief Scientist from China Mobile and Co-chair of O-RAN Technical Steering Committee Open RAN security – by Claire Chauvin, Strategy Architecture and Standardization Director at Orange Open software for the RAN – by Rob Soni, VP RAN

IFF Reports Fourth Quarter and Full Year 2022 Results8.2.2023 22:31:00 CET | Press release

International Flavors & Fragrances Inc. (NYSE: IFF) reported financial results for the fourth quarter and full year ended December 31, 2022. Management Commentary “IFF delivered solid financial results in 2022 in what continues to be a challenging operating environment,” said IFF CEO Frank Clyburn. “Throughout the year our team successfully executed on what we could control – pricing, productivity and portfolio optimization – to generate strong sales growth, enhance profitability and reduce our debt. At the same time, we introduced a refreshed growth-focused strategy, that deepens our commitment to customers, prioritizes our highest-return businesses, and expands productivity to drive long-term profitable growth. We are confident that these are the right strategies to navigate near-term challenges – as we balance growth, profitability and cash flow generation – and deliver long-term value creation for our shareholders.” Fourth Quarter2022 Consolidated Financial Results Reported net sal

Global Partners Announce Innovations for Marine Managers to Help Our Oceans With Private Sector Support From Mary Kay Inc.8.2.2023 18:03:00 CET | Press release

Ocean conservation managers and practitioners, global experts, and high-level officials are convening for the Fifth International Marine Protected Area Congress (IMPAC5) from February 3-9 in Vancouver, Canada, to take a stand to protect the ocean. This press release features multimedia. View the full release here: MPAth, short for Marine Protected Area Tool Hub, is a free online resource for seascape stakeholders at every level. It uses the same problem-solving matrix honed by marine experts to guide users through a learning journey and help them address their most pressing challenges on sustainable livelihoods, financing, effectiveness, and climate change. (Credit: UN Environment Programme) IMPAC5 is known as the preeminent conference for the exchange of knowledge within the global community of marine conservation managers, practitioners, and decision makers. It provides the opportunity to highlight the latest science and share

Morgan Stanley Hosts First Global Demo Day for Startups in Inclusive Ventures Lab8.2.2023 16:23:00 CET | Press release

Morgan Stanley (NYSE: MS) today is hosting its first global in-person Demo Day, with 10 participating companies from the US and Europe, the Middle East and Africa (EMEA). The cohort companies, all founded by women, will pitch over 200 investors, as well as potential business partners and customers. Over the past five months, Morgan Stanley’s Inclusive Ventures Lab has supported its eighth cohort of technology-enabled startups in the post-seed to Series A funding round stage, offering an intensive accelerator program designed to provide a variety of mentorship opportunities and business-growth resources from across the Firm’s network. “We are on a mission to change the investing landscape for underrepresented founders. Through our accelerator program we are providing promising startups with much-needed capital, the broad resources of Morgan Stanley and access to investors,” said Selma Bueno, Managing Director and Global Head of the Inclusive Ventures Group. “Today’s Demo Day showcases i