New Veracode Research Shows Developers
Remediate Low-Severity Flaws with More Urgency than Severe Flaws;
New Capabilities Enable Organizations to Prioritize Remediation
That Matters Most
Black Hat USA Conference (booth #2536) – Veracode, a
global leader in application risk management, today announced
platform innovations to help organizations uncover, prioritize, and
reduce security debt across their growing attack surface. Universal
Connector and Application Security Heatmap, the two newest
capabilities from Longbow powered by Veracode, allow organizations
to quickly connect findings from any source and see the
applications that are contributing to the most risk. Together, the
Universal Connector and the Application Security Heatmap provide
clear, operational insight into assets and issues, allowing
remediation actions to be prioritized by quantifiable risk.
This press release features multimedia. View
the full release here:
https://www.businesswire.com/news/home/20240801020287/en/
Figure 1: State of Software Security 2024
Language Snapshot (Graphic: Business Wire)
“The combination of mounting security debt, an expanding attack
surface made more vulnerable by generative AI, and an overwhelming
volume of security alerts makes it challenging for organizations to
know which application risks to prioritize,” said Chris Eng, Chief
Research Officer at Veracode. “In fact, our State of Software
Security research shows that many organizations are more focused on
remediating low-severity flaws than critical flaws. Security
leaders need technology that enables them to effectively uncover
and manage application risk, and then reduce that risk by focusing
on the issues that matter most across their entire attack
surface.”
Prioritization of Security Debt: Critical vs
Non-critical
In its State of Software Security 2024 Language Snapshot,
Veracode revealed the varying prevalence of “critical” and
“non-critical” security debt among applications written in
different languages. Critical security debt is defined for this
report as high-severity flaws that remain unfixed for longer than a
year. If exploited, these flaws would put the integrity and
availability of organizations at serious risk.
The research found that while most security debt exists in
first-party code written by in-house developers, the most critical
security debt resides in third-party code (e.g., open-source
software imported into the codebase). For example, 80 percent of
critical debt in Java apps, and 63 percent in JavaScript apps, is
in third-party code. The report also found about 51 percent of
critical flaws in Java apps turn into security debt, while only
about 45 percent of low to medium flaws progress into security
debt.
Eng said, “With the overflowing volume of security flaws,
developers are not prioritizing those that present the most risk.
While focusing on non-critical flaws may result in some quick
fixes, developers should use their limited capacity to work on
fixing critical flaws with the highest potential impact on
security.”
Putting Visibility and Prioritization First: Universal
Connector & Application Security Heatmap
Building on Veracode’s acquisition of Longbow Security in April
this year, and the introduction of Longbow’s Repo Risk Visibility
and Analysis capability in May, Universal Connector and Application
Security Heatmap are designed with developers’ time in mind. The
capabilities provide operational oversight to help developers and
security teams quickly identify and prioritize the most important
fixes for growing security debt across their applications.
Universal Connector allows organizations to quickly access
disparate source data they otherwise couldn’t bring into the
Longbow platform, meaning they don’t have to wait for a
tool-specific connector. The Application Security Heatmap maps the
application back to the owner and shows a 90-day risk trend, as
well as enabling customization of the risk threshold to meet
organizational policy. Application security teams and developers
can analyze each application, view the distribution of risk, and
implement recommendations for the Best Next Action™ to remediate
that risk.
“As organizations seek to find and fix mounting critical
security debt, the need for risk-focused visibility and
prioritization is clear,” said Derek Maki, Vice President of
Product Management at Veracode. “The new capabilities in the
Longbow platform provide our customers with a deeper understanding
of an organization’s riskiest applications, plus the unique ability
to identify the top five most impactful solutions for
improvement.”
Enhanced by the Longbow acquisition, Veracode closes the gap
between development and security teams, delivering visibility from
code repositories to cloud assets and runtime. Longbow also
identifies infrastructure-as-code and misconfiguration risk for
cloud assets originating from repositories.
The Longbow Universal Connector and Application Security Heatmap
are available immediately. For more information, please visit the
website or watch the interview with Brian Roche, Veracode Chief
Executive Officer, and Derek Maki.
The full State of Software Security 2024 Language Snapshot is
available on the Veracode website.
Visitors to the Black Hat USA Conference, August 3-8, 2024, can
learn more about Veracode’s platform and these new features by
visiting Veracode’s booth #2536 for a demo.
About the State of Software Security Report
The Veracode State of Software Security 2024 report analyzed
data from large and small companies, commercial software suppliers,
software outsourcers, and open-source projects. The research draws
from more than a million (1,007,133) applications across all scan
types, 1,553,022 dynamic analysis scans, and 11,429,365 static
analysis scans. All those scans produced 96 million raw static
findings, 4 million raw dynamic findings, and 12.2 million raw
software composition analysis findings.
About Veracode
Veracode is a global leader in Application Risk Management for
the AI era. Powered by trillions of lines of code scans and a
proprietary AI-assisted remediation engine, the Veracode platform
is trusted by organizations worldwide to build and maintain secure
software from code creation to cloud deployment. Thousands of the
world’s leading development and security teams use Veracode every
second of every day to get accurate, actionable visibility of
exploitable risk, achieve real-time vulnerability remediation, and
reduce their security debt at scale. Veracode is a
multi-award-winning company offering capabilities to secure the
entire software development life cycle, including Veracode Fix,
Static Analysis, Dynamic Analysis, Software Composition Analysis,
Container Security, Application Security Posture Management, and
Penetration Testing.
Learn more at www.veracode.com, on the Veracode blog, and on
LinkedIn and X.
Copyright © 2024 Veracode, Inc. All rights reserved. Veracode is
a registered trademark of Veracode, Inc. in the United States and
may be registered in certain other jurisdictions. All other product
names, brands or logos belong to their respective holders. All
other trademarks cited herein are property of their respective
owners.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20240801020287/en/
For more information, please contact: Katy Gwilliam
kgwilliam@veracode.com