Application security company ShiftLeft has released its inaugural AppSec Shift Left Progress Report. Leveraging insight from ShiftLeft’s CORE platform and customer application scanning patterns over a 12-month period, the report revealed that next-generation static application security testing (SAST) and intelligent software composition analysis (SCA) can increase the speed of vulnerability scans and narrow their scope to highlight reachable issues. This ultimately leads to measurably better outcomes: more frequent scans, fix rates earlier in the CI/CD pipeline that prevent security debt from accruing, and more security fixes overall.
"SaaS developers must move quickly to keep their businesses competitive in today's market. As a result, building security into the DevOps process has traditionally been a burden," said Vibhuti Sinha, Chief Product Officer at Saviynt. "Faster scan times and increased scan frequency allows us to adopt the shift left philosophy and dramatically increase the number of critical, reachable vulnerabilities our team can address while also preventing the accrual of unnecessary security debt."
As enterprises continue to accelerate digital transformation initiatives to support remote work and digital business, developers continuously bring software to market at record velocities. Additionally, as cyber-attacks and supply chain attacks grow in scale and frequency, enterprises are placing heightened awareness on code security. The AppSec Shift Left Progress Report reveals that tightly integrating security testing with the CI/CD pipeline results in better outcomes that will be critical as the world continues to rely on digital services and enterprises accelerate security transformation.
Key findings from the report include:
Speed and Frequency of Scans -- While legacy security analysis tools can take hours or even days to conduct a full scan, ShiftLeft customers experienced a median scan time of 2 minutes and 20 seconds. With shorter scan times, 46% of applications are scanned at least weekly and 17% are scanned at least daily.
Prioritising Findings for Modern Applications -- Legacy analysis tools generate a large number of false positives that can overwhelm AppSec and development teams. When open source vulnerabilities are prioritized by accounting for true "reachability," ShiftLeft found that organizations reduce the number of their SCA tickets by an average of 92%.
Fix-Rates for Managed CI/CD -- When increasing the speed and frequency of scans and prioritising SCA tickets, ShiftLeft found enterprises that tightly integrate security testing within their CI/CD pipeline fix 91.4% of new issues. Overall, customers fixed 58% of new issues before they became technical debt.
Security Fixes by Type -- As organisations fix a higher number of vulnerabilities in their applications, 86% of these fixes were for critical or well-known issue classes. The most fixed issue types were all in the OWASP Top Ten.
Application security is still commonly performed with outdated SAST technology that takes hours or days to execute. While SCA tools may find risk in OS libraries, they often fall short of determining whether vulnerabilities are actually reachable. In today’s modern, digital business era, enterprises require a combination of intelligent, prioritized SCA and SAST tools to manage risk at the speed of DevOps.
"For the first time, ShiftLeft is enabling AppSec and development teams to release secure code at scale. ShiftLeft provides its customers with a developer-centric approach to application security, enabling them to compare custom code within their production environments, narrowing the scope of only ‘reachable’ vulnerabilities," said Manish Gupta, CEO of ShiftLeft. "Our new report demonstrates that with ShiftLeft CORE, enterprises are executing scans in minutes and fixing 91.4% of new vulnerabilities, eliminating security debt and enabling teams to focus more time and resources on preventing vulnerabilities of certain types and severities from ever merging with their main branch. I am proud that ShiftLeft is helping its customers to embrace cloud while reducing security risk."