ShiftLeft, Inc., a leader in application security, today released its inaugural AppSec Shift Left Progress Report. Leveraging insight from ShiftLeft’s CORE platform and customer application scanning patterns over a 12-month period, the report revealed that next-generation static application security testing (SAST) and intelligent software composition analysis (SCA) can increase the speed of vulnerability scans and narrow their scope to highlight reachable issues. This ultimately leads to measurably better outcomes: more frequent scans, fix rates earlier in the CI/CD pipeline that prevent security debt from accruing, and more security fixes overall.
“SaaS developers must move quickly to keep their businesses competitive in today's market. As a result, building security into the DevOps process has traditionally been a burden," said Vibhuti Sinha, Chief Product Officer at Saviynt. "Faster scan times and increased scan frequency allows us to adopt the shift left philosophy and dramatically increase the number of critical, reachable vulnerabilities our team can address while also preventing the accrual of unnecessary security debt."
As enterprises continue to accelerate digital transformation initiatives to support remote work and digital business, developers continuously bring software to market at record velocities. Additionally, as cyber-attacks and supply chain attacks grow in scale and frequency, enterprises are placing heightened awareness on code security. The AppSec Shift Left Progress Report reveals that tightly integrating security testing with the CI/CD pipeline results in better outcomes that will be critical as the world continues to rely on digital services and enterprises accelerate security transformation.
Key findings from the report include:
Speed and Frequency of Scans -- While legacy security analysis tools can take hours or even days to conduct a full scan, ShiftLeft customers experienced a median scan time of 2 minutes and 20 seconds. With shorter scan times, 46% of applications are scanned at least weekly and 17% are scanned at least daily.
Prioritizing Findings for Modern Applications -- Legacy analysis tools generate a large number of false positives that can overwhelm AppSec and development teams. When open source vulnerabilities are prioritized by accounting for true “reachability,” ShiftLeft found that organizations reduce the number of their SCA tickets by an average of 92%.
Fix-Rates for Managed CI/CD -- When increasing the speed and frequency of scans and prioritizing