CA Southern Africa, Veracode highlight modelling factors that influence the introduction of application flaws

Craig De Lucchi, Account Director, CA Southern Africa.

---

CA Southern Africa has released details of the Veracode 2023 State of Software Security report that highlights the factors that contribute to the introduction of flaws in applications, how to remediate them quickly and lower security debt. 

CA Southern Africa is the sole sub-Saharan Africa representative of CA Technologies, a Broadcom company. Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breaches and increasing security and development teams’ productivity.

Craig de Lucchi, Account Director, CA Southern Africa, notes that Veracode aims to help development teams hit the objective of introducing fewer new flaws in application development and set about examining the factors that contribute to them. “Veracode also examined how widespread flaws are and what factors separate flawed applications from those with no flaws, eg, age, inactivity skill, training and more,” says De Lucchi.

“The research discovered that training (or lack of it) is strongly connected with flaw introduction. Security labs training exists to educate developers on the different types of flaws and how to avoid introducing them into their code. It was noted that when developers completed any number of security labs, flaws were increasingly less likely to be introduced. The bottom line is the more training, the better,” he says.

“The study refers to age of the application, which in this model actually represents years on the Veracode Platform. For every year the application is scanned on the Veracode platform, it was noted that one could expect an average drop of 1.3% in the probability of one or more flaws being introduced.

“The report notes that when we see applications integrate code scanning into their pipeline via API scanning, we see the probability of introducing flaws reduced by 2% on average. The API scan doesn’t itself make things more secure, but it is an indicator of maturity.”

If an organisation is using automation that abstracts human interaction, then we can assume it has other things in place, such as access control to the pipeline, but the report does note that this is an assumption. “The research reveals there is a 27% probability per month that flaws will be introduced into applications. It was seen that when flaws were introduced, the interesting thing is that the same factors that reduce the chance of introducing flaws in the first place also reduced the volume of flaws introduced. When it comes to the number of flaws introduced, the age of the application is an interesting factor to examine. The research determined that age is in itself a factor that reduces flaw count if everything else remains constant, but noted that everything does remain constant. Veracode concluded that scanning via API reduces the probability that new flaws will be introduced.”

It was found that an increase of the application size by 10% (which is a rather large shift in size) is 0.6% more likely to introduce one or more new flaws. Growth and age are not always tied, but as applications grow, they do become more complex.

“These are just some of the factors identified by Veracode in this important research. Companies using Veracode are provided with the ability to move their businesses forward. With its combination of process automation, integrations, speed and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing – not just finding – potential vulnerabilities,” concludes De Lucchi.