ShiftLeft, Inc. released its inaugural AppSec Shift Left Progress Report.
Leveraging insight from ShiftLeft's CORE platform and customer
application scanning patterns over a 12-month period, the report
revealed that next-generation static application security testing (SAST)
and intelligent software composition analysis (SCA) can increase the
speed of vulnerability scans and narrow their scope to highlight
reachable issues. This ultimately leads to measurably better outcomes:
more frequent scans, fix rates earlier in the CI/CD pipeline that
prevent security debt from accruing, and more security fixes overall.
"SaaS
developers must move quickly to keep their businesses competitive in
today's market. As a result, building security into the DevOps process
has traditionally been a burden," said Vibhuti Sinha, Chief Product
Officer at Saviynt. "Faster scan times and increased scan frequency
allows us to adopt the shift left philosophy and dramatically increase
the number of critical, reachable vulnerabilities our team can address
while also preventing the accrual of unnecessary security debt."
As
enterprises continue to accelerate digital transformation initiatives
to support remote work and digital business, developers continuously
bring software to market at record velocities. Additionally, as
cyber-attacks and supply chain attacks grow in scale and frequency,
enterprises are placing heightened awareness on code security. The AppSec Shift Left Progress Report reveals
that tightly integrating security testing with the CI/CD pipeline
results in better outcomes that will be critical as the world continues
to rely on digital services and enterprises accelerate security
transformation.
Key findings from the report include:
- Speed and Frequency of Scans --
While legacy security analysis tools can take hours or even days to
conduct a full scan, ShiftLeft customers experienced a median scan time
of 2 minutes and 20 seconds. With shorter scan times, 46% of
applications are scanned at least weekly and 17% are scanned at least
daily.
- Prioritizing Findings for Modern Applications --
Legacy analysis tools generate a large number of false positives that
can overwhelm AppSec and development teams. When open source
vulnerabilities are prioritized by accounting for true "reachability,"
ShiftLeft found that organizations reduce the number of their SCA
tickets by an average of 92%.
- Fix-Rates for Managed CI/CD --
When increasing the speed and frequency of scans and prioritizing SCA
tickets, ShiftLeft found enterprises that tightly integrate security
testing within their CI/CD pipeline fix 91.4% of new issues. Overall,
customers fixed 58% of new issues before they became technical debt.
- Security Fixes by Type --
As organizations fix a higher number of vulnerabilities in their
applications, 86% of these fixes were for critical or well-known issue
classes. The most fixed issue types were all in the OWASP Top Ten.
Application
security is still commonly performed with outdated SAST technology that
takes hours or days to execute. While SCA tools may find risk in OS
libraries, they often fall short of determining whether vulnerabilities
are actually reachable. In today's modern, digital business era,
enterprises require a combination of intelligent, prioritized SCA and
SAST tools to manage risk at the speed of DevOps.
"For
the first time, ShiftLeft is enabling AppSec and development teams to
release secure code at scale. ShiftLeft provides its customers with a
developer-centric approach to application security, enabling them to
compare custom code within their production environments, narrowing the
scope of only ‘reachable' vulnerabilities," said Manish Gupta, CEO of
ShiftLeft. "Our new report demonstrates that with ShiftLeft CORE,
enterprises are executing scans in minutes and fixing 91.4% of new
vulnerabilities, eliminating security debt and enabling teams to focus
more time and resources on preventing vulnerabilities of certain types
and severities from ever merging with their main branch. I am proud that
ShiftLeft is helping its customers to embrace cloud while reducing
security risk."
Learn more and read the full report here.