State of Software Security, Vol. 12

Development practices are undergoing a fundamental shift toward speed, modularity, and automation. SOSS Volume 12 examines how these trends—specifically the rise of microservices and cloud-native technologies—are reshaping the security landscape. By looking back nearly 16 years to the first applications scanned on the Veracode platform, this report provides the industry’s most detailed view of the long-term evolution of AppSec.

The structural data reveals an explosion in application creation: organizations are now scanning triple the number of new apps per quarter compared to a decade ago. This is accompanied by a collapse in multi-language applications (dropping from 20% to <5%), suggesting a pivot toward smaller, one-language microservices. This report rewards the click by showing how these structural shifts, combined with hands-on developer training, are finally driving down the time risk lingers in the codebase.

The “human element” also receives a data-driven boost in this volume. Our analysis of Veracode Security Labs proves that the simple act of taking less than an hour to learn how to fix flaws results in getting them fixed 35% faster in the wild. This research offers a hopeful conclusion: applications are, slowly but surely, getting more secure as developers move from quarterly checks to daily scanning habits.

Key Findings

• Tripled Application Growth: The average number of new applications scanned per account each quarter has more than tripled since 2011.
• The Microservices Pivot: Applications using multiple languages dropped from 20% in 2018 to less than 5% in 2021, favoring modularity.
• Scan Cadence Explosion: The median application scan cadence has increased 20x since 2010; 90% of apps are now scanned more than once a week.
• Training ROI: Organizations with Veracode Security Labs training fix 50% of flaws 60 days faster (110 days vs 170 days) than those without training.
• Open Source Hygiene: The percentage of third-party libraries with known flaws has dropped from 35% in 2017 to just 10% in 2021.
• Historical Progress: While some flaw subsets have increased, the overall longitudinal trend for flaw prevalence is slowly but surely moving downward.