Enterprises that integrate security testing into their CI/CD pipeline fix 91.4 percent of new issues, according to a progress report from ShiftLeft.
Recent software supply chain attacks illustrate the growing risks businesses, their partners, and customers face. But a recent report suggests better outcomes for those who put security at the heart of app development.
Data from a ShiftLeft customer report shows that companies that have rebuilt their core testing processes around faster, more accurate static analysis are able to:
- Release more secure code at scale
- Scan more frequently
- Work fixes earlier into the software development lifecycle
- Have less security debt, and
- Maintain more security fixes overall.
Data for the report represents customer usage of ShiftLeft CORE between May 1, 2020 and April 20, 2021. Manish Gupta, the company’s CEO and co-founder shared the findings and lessons with Mike Shema during a recent episode of Application Security Weekly.
Among the report’s findings:
- While legacy security analysis tools can take hours or even days to conduct a full scan, ShiftLeft customers experienced a median scan time of 2 minutes and 20 seconds.
- With shorter scan times, 46 percent of applications are scanned at least weekly and 17% are scanned at least daily.
- Legacy analysis tools generate many false positives that can overwhelm AppSec and development teams. When open-source vulnerabilities are prioritized by accounting for true “reachability,” organizations reduced the number of their SCA tickets by an average of 92 percent.
Some of the key results from ShiftLeft’s report.
“When increasing the speed and frequency of scans and prioritizing SCA tickets, we found enterprises that tightly integrate security testing within their CI/CD pipeline fix 91.4 percent of new issues,” Manish said.
Overall, customers fixed 58 percent of new issues before they became technical debt, he added. As organizations fixed a higher number of vulnerabilities in their applications, 86 percent of these fixes were for critical or well-known issue classes. The most-fixed issues are all in the OWASP Top Ten, Manish noted.