Today marks a big milestone for Veracode, and for the application security industry – we’re releasing the 10th volume of our State of Software Security (SOSS) report. 10 SOSS reports and 80,000+ apps later, we’ve accumulated a lot of data, and a lot of insights, about application security trends and best practices. This year, we took a look back at the AppSec picture over the past 10 years, and dug into the data amassed from our security scans from April 2018 to March 2019. Some big takeaways:
The more things change, the more they stay the same: We’ve seen some positive movement this year, but we’ve got a long way to go. The same vulnerabilities are populating the top 10 list, and the percentage of applications that have at least one vulnerability on initial scan has remained high and stagnant over the past 10 years. Secure coding training is clearly still a critical component of any security program.
We’ve moved beyond just finding flaws to fixing them: Our VP of Services Pejman Pourmousa was recently quoted saying, “you can’t scan your way to secure code.” And that sentiment appears to be gaining momentum. This year’s data, especially compared to data over the past 10 years, reveals that developers are indeed focused on fixing the security flaws they find more than ever before. For example, half of applications showed a net reduction in flaws over the sample time frame. Another 20% either had no flaws or showed no change. This means 70% of development teams are keeping pace or pulling ahead in the flaw-busting race!
Security debt is piling up: Although fix rates are improving, most organizations are prioritizing newly found security flaws, while letting older, unaddressed flaws linger. This accumulation of security debt is both illustrated in our SOSS data and has started to emerge as a pain point in our conversations with customers. But this year’s data also provides some compelling evidence surrounding steps organizations can take to start chipping away at that debt. In particular, organizations that are scanning the most are carrying 5x less security debt than those scanning the least.
See below for the data highlights, and check out the full report for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.
Oregon State University (OSU) has disclosed a security incident that potentially affected the personally identifiable information of some students and their families. On 14 June, OSU announced that the security incident occurred back in May when external actors hacked a university employee’s email account. At the time of compromise, the email account contained the personal […]… Read More
The post Oregon State University (OSU) Discloses Data Breach appeared first on The State of Security.
don’t fuck with love — ESSAY FROM 2013 on CISPA & how the BOSTON BOMBING tried to hide its passing (AND DIDN’T!!!!!) & the state of our DISUNION four years ago as CORPORATIONS TAKE OVER national government COMPLETELY, scott richard
Image by torbakhopper
this essay JUST SEEMS more relevant now in light of the massive dissolution of our civil rights and CORPORATE TAX cuts and breaks that have FLOWN past the sensors in the past two months amidst daily DRAMA FROM OUR DRAMA KING clown nose FAKE dumptruckpresident.
yep, you’ve been chasing the clown’s nose again with all the FBI fake drama.
what a stupid nation of TV FISH>
anyway, read this from FOUR YEARS AGO and tell me it didn’t all come true?!?!?!
The Cyber Intelligence Sharing and Protection Act
every time, around the world, when there is a strangely manufactured tragedy, a bill passes in the mayhem. will it happen again? this one is allegedly worse than the patriot act in terms of allowing immunity and impunity for corporations that betray your information that they have been entrusted with — a "get out of jail" free card for them to use at any time as long as the "hackers" might exist, lol.
remember columbine? how it was used to hide the heaviest bombings of kosovo?
check it out.
"Under the legislation, businesses and the federal government would be able to share technical data without worrying about anti-trust or classification laws. The bill also would grant businesses legal immunity if hacked so long as they acted in good faith to protect their networks."
see what’s up and why 600 million dollars was spent trying to push this controversial "legislation" that violates ALL your online privacy and holds you responsible for all your words, pictures and ideas.
and, just so you feel comfortable having some ABSOLUTELY solid evidence of how this will affect certain people let me open your eyes to the new surveillance that will surround "self reporting" errors that are currently in operation.
you know what i mean, you go down to the dude who calls himself a "doctor" and she asks you basic questions each year and you lie.
she says, "so, margaret, how many glasses of wine do you drink a day?"
margaret CHRONICALLY LIES (like most americans who lie) and says, "oh, i don’t drink more than three glasses a week! and red wine is good for you." however, margaret actually goes through five bottles of two buck chuck’s red wine every week at trader joes — a corporation who will sell this information to the government (who have hijacked the medical care industry under obama’s rule) and then margaret’s insurance rates will go up. and the "u.s. govt" can fish around for other bills and receipts, email threads or online "confessions".
per this request, safeway or cvs might also let the "u.s. govt" know that margaret is also using several kinds of over the counter drugs on a regular basis. and they might itemize her eating habits to determine her overall well-being.
and this kind of "shopping surveillance" will be aptly applied to ANY and ALL areas of one’s life where tracking monitors are in place (oh, big surprise, any corporate outlet).
so, technically, at first (ahh, the monkey’s paw in this design), only bad people will be in trouble. which makes us consider our own ethical and moral conditions as real people. what are our vices and addictions and penchants and abuses? how secret are they? are they self destructive?
and then there’s always that voice that sounds like an alarm clock talking – "they’re taking over folks. it’s happening right in front of our eyes!!
and honestly, i think u.s. citizens have become so crazy and weird and detached from "reality" that maybe it’s not the worstest ever thing that the blinders are so firmly attached to the head of the average citizen.
and why shouldn’t americans be confused!? isn’t it time we own up to who and what we are as a nation of peddling pornographers, weapons’ manufacturers and surveillance technology. if we don’t, sooner and later some other power structure will fill this gap we are "supposedly" vacating.
but most americans are bonded and manacled to usury in the form of home loans, student loans, car loans or business loans. so we work stupid jobs and waste our life hours looking at screens and typing dumb messages and acting like we actually do any real work.
we don’t grow our own food or actively source our water quality and air quality.
we shop and buy stuff and try it on and wear it out.
but it’s not too late.
SEE PROPOSAL BELOW
we still have time to build the towers and show the world that we ain’t babylon!!!!
or we can roll with the rogue government that’s currently in place.
personally, i’m cool with either version of the story.
but it’s still good advice not to fuck with love