By Ericka Chickowski 1

Insecure code continues to thwart IT departments, but a new study out this week shows how advisory services can help developers better understand secure coding practices and remediate vulnerabilities much more quickly than those who go it alone.

Released by Veracode, the State of Software Security report offers a glimpse into the still dismal world of application-layer risk. It shows that across all industries, the average density of flaws per MB of code equals 58 on first assessment and only improves by about 14 percent on reassessments. When measured against the OWASP Top 10, an industry standard for top flaws to watch out for, internally developed applications only were able to pass all 10 checks 37 percent of the time.

Diving deeper into specific industries, the report showed that government and healthcare fared particularly poorly. For example, government agencies only fixed about 27 percent of the vulnerabilities identified in their flaw assessments and healthcare organizations only did a little better, remediating 43 percent of their bugs. More startling, 80 percent of healthcare applications suffered from some kind of cryptographic issues such as weak algorithms, a concerning fact considering the sensitivity of patient data these organizations are entrusted to protect.

Fortunately organizations are getting more aware of application risks and have gradually improved over the last decade. Since 2006 Veracode’s customers have fixed 60 percent of the vulnerabilities identified in vulnerability assessments. And last year the customer base fixed 70 percent of the flaws it found during 2014. 

Veracode reports that some of the biggest gains come from what it calls remediation coaching services. Organizations that choose to engage with the firm’s consultants for this couching reduce their flaw density by 42 percent between first assessment and reassessment, about 2.5 times the improvement of those that go without. These kinds of services include explaining to developers how testing was performed, reviewing the findings, answering questions and discussing next steps such as a remediation and mitigation plan. 

“The data in this report clearly shows that, by addressing the problem systematically and at scale, enterprises can significantly reduce application risk — not by installing more next-generation firewalls, but by remediating application-layer vulnerabilities to reduce enterprise risk,” says Chris Wysopal, CTO and CISO of Veracode.

This kind of data could be a good benchmark for MSSPs seeking to specialize in application security services.