ShiftLeft on Thursday released some rare positive news on the AppSec front by reporting that based on millions of scans on its customers, they found a 97% reduction in open source software (OSS) vulnerabilities.
The researchers said by identifying and prioritizing OSS vulnerabilities that are actually attackable, AppSec teams and developers can now fix what matters, ship code faster, and improve security with fewer, better fixes.
In other significant findings, ShiftLeft’s report said by focusing on attackability and reduced false positives, developers can make fixes faster and reduce mean-time-to-remediate (MTTR). ShiftLeft reported a 37% year-over-year reduction in MTTR, which they say improves overall security posture and reduces the likelihood of attacks by reducing the time that vulnerabilities are exposed.
The report also pointed out that rapid scans now let security teams scan more frequently, improving security by enabling better coverage of very large applicaions that previously required hours or days to scan. Overall, ShiftLeft reported a 90-second median scan time.
Casey Bisson, head of product and developer relations at BluBracket, said this report by ShiftLeft highlights how the combination of people, process and tooling can improve application and code security outcomes, particularly when drawing on open source code and software. Bisson said automated, real-time scanning of every commit has become an integral part of the CI process and the most effective way to give developers the feedback they need to improve security during development and before deploy.
“In general, we see teams that prioritize security see improved outcomes no matter what solutions they use,” Bisson said. “The problem is that they’re the minority. More awareness of ongoing code and application security problems is essential, which is why, for example, we partnered with the Linux Foundation to help secure software at the source. Making security easy enough so that teams don’t have to work hard to prioritize it is essential.”
Scott Gerlach, co-founder and CSO at StackHawk, said the changes in MTTR are positive indicators of improvement, but shows how much still needs to be done. Gerlach said if we are still shipping vulnerabilities to production to find them and then coming back around to fix them, that’s not shifting left.
“That's at best getting better at the old way,” Gerlach said. “Leading organizations are giving developers the tools and information to fix those same 76% of attackable vulnerabilities while they were writing the software. That means we're putting out high-quality software, and have room in the next two sprints to do feature work instead of re-work.”