This is marketing for Veracode which is crap by the way.<p>You can’t assess for risk without knowing anything about the environment, compensating controls and business logic.<p>Veracode is a check-the-box enterprise compliance tool that reduces engineering productivity and corporate profitability.<p>Yes, vulnerability management is an important problem but Veracode is not the solution not even close.
Automated detection of risky code can be very useful, but it inherently lacks the capacity to differentiate whether a particular case of bad practice actually is a flaw or not. For a simplified example, usage of eval() in many dynamic languages is potentially risky and <i>could</i> result in a total takeover of the application, so these tools will generally flag it as 'critical' - even if in that particular case this 'eval' is run on data that can't possibly be affected by any user-controlled input (in that case it was used in a slightly weird design for code generation to save on copypasta) and does not have any security risk.<p>Anecdotally, when I have done triage on such analysis, perhaps 5-10% of things the tools marked as 'critical' (i.e. <i>potentially</i> critical) were flaws which might have had some actual impact and need to be fixed. So when some vendor says in an article like this "The study found nearly two-thirds (63%) of the applications scanned had flaws in the first-party code", keep that in mind - they're generally treating all detections as real, but it's rarely the case.<p>But on the other hand, it may well be the case that it's simpler to have a process to just clean up all suspicious places in the code; just as the simplest way to avoid use-after-free errors is to use a garbage-collected language instead of just trying to ensure that every single memory allocation in C is correctly implemented.
When I stared in professional software there was almost an extreme paranoia of adding new libraries. Now we have 20 year olds adding whatever they want via NPM.
Lol, I haven't noticed software developers caring about security any more than they used to. 99% of them don't care, and 1% of them are responsible for 75% of secure code. Moreover, there is no consequence if they write insecure code, just like there's no consequence if they write unreliable code. They get the same paycheck regardless of the outcome.