A Hard Look at Software Security IDG

Security debt - defined as aging and accumulating flaws in software - is emerging as a significant pain point for organizations across industries.
In this first episode of our second season of a Hard Look at Software Security, Tim Jarrett, Senior Director of Product Management with Veracode, will discuss what factors are behind security debt and how security managers can arm themselves with this knowledge to tackle the problem.
Listeners will learn about:

How cross-site scripting is contributing to security debt and why it’s noteworthy

Findings on how organizations are prioritizing fixes

Why security debt is not being discussed enough among security professionals


Produced by IDG Communications, Inc., in association with Veracode.

According to the latest State of Security Software report from Veracode, the retail industry has the lowest average number of unaddressed security flaws. Government and education have the largest “iceberg“ of security debt lurking below the surface. Financial services firms have the best fix rate among all industries.
In this episode of a Hard Look at Software Security, Tim Jarrett, Senior Director of Product Management with Veracode, will discuss security debt across industries, and what is influencing their flaw fix rates.
Listeners will learn more about:

The differences in software security across sectors

Why the government and education sectors have a so-called iceberg of security debt

The details on why finance has the best fix rate


Produced by IDG Communications, Inc., in association with Veracode.

The average number of days to fix software flaws was at 59 days in the first Veracode State of Software report from ten years ago. Today, it’s jumped to 171 days in the latest 2019 report.
While typical median fix times haven't gotten worse in 10 years – they have remained about the same - security debt is getting much deeper.
In this episode of a Hard Look at Software Security, Chris Eng, Vice President of Research with Veracode, will discuss relevance of the findings on median time to remediate flaws - and where organizations may stand when it comes to their own security debt.
Listeners will learn about:

Why security debt is getting much deeper

If fixes are based on flaw severity or exploitablilty

Why the source of an application affects fix speed of remediation


Produced by IDG Communications, Inc., in association with Veracode.

AppSec awareness has grown in a decade. In Veracode’s State of Software Security report, Volume one, most of the conversation was around trying to explain and advocate for application security. Today, far less of that is necessary and more emphasis is put on talking about how to build an effective, mature application security program.
In this episode of a Hard Look at Software Security, Chris Wysopal, Chief Technology Officer with Veracode, will discuss positive AppSec signs – and what they mean for security best practices.
Listeners will learn more about:

Factors influencing the change in application security programs

What the State of Software Security report uncovers when it comes to current AppSec efforts

Why awareness about AppSec risk has grown, but actual risk reduction still has room for improvement


Produced by IDG Communications, Inc., in association with Veracode.

The latest Veracode State of Software Security report reveals that scanning early, often, and steadily helps you fix more flaws faster while not contributing to security debt. The report finds 56 percent of software flaws eventually get fixed. While 76 percent of high severity flaws are addressed by developers, half of the applications showed a net reduction in flaws over the sample time frame.
In this episode of a Hard Look at Software Security, Paul Farrington, chief technology officer for the Europe, Middle East, and Asia regions for Veracode, will dive deeper into those numbers and discuss when development teams should consider scanning and why.
Listeners will learn more about:

The stage at which development teams should engage in software scanning

DevSecOps culture and how to enable it

Where DevSecOps is heading in the future 


Produced by IDG Communications, Inc., in association with Veracode.

Security debt – which is defined as aging and accumulating flaws in software -- is a lot like credit card debt. You can throw money at the balance, but if you don’t stop spending, you’re never going to actually get out of debt. 
In this episode of A Hard Look at Software Security, Chris Wysopal, Chief Technology Officer with Veracode, will join us to continue our conversation on software scanning with focus on the accumulating security debt in applications caused by persistent flaws in long-term time frames.
Listeners will learn more about:

Why there is less security debt in organizations that scan their code more than 300 times per year

How to know if security debt is meaningful

Best practices for incorporating scanning into the process 


Produced by IDG Communications, Inc., in association with Veracode.