Next-generation static application security testing (SAST) and intelligent software composition analysis (SCA) can increase the speed of vulnerability scans and narrow their scope to highlight reachable issues, a ShiftLeft report reveals. This ultimately leads to measurably better outcomes: more frequent scans, fix rates earlier in the CI/CD pipeline that prevent security debt from accruing, and more security fixes overall.
“SaaS developers must move quickly to keep their businesses competitive in today’s market. As a result, building security into the DevOps process has traditionally been a burden,” said Vibhuti Sinha, Chief Product Officer at Saviynt.
“Faster scan times and increased scan frequency allows us to adopt the shift left philosophy and dramatically increase the number of critical, reachable vulnerabilities our team can address while also preventing the accrual of unnecessary security debt.”
As enterprises continue to accelerate digital transformation initiatives to support remote work and digital business, developers continuously bring software to market at record velocities. Additionally, as cyber-attacks and supply chain attacks grow in scale and frequency, enterprises are placing heightened awareness on code security.
The report reveals that tightly integrating security testing with the CI/CD pipeline results in better outcomes that will be critical as the world continues to rely on digital services and enterprises accelerate security transformation.
Vulnerability scans speed is key
- Speed and frequency of scans – While legacy security analysis tools can take hours or even days to conduct a full scan, ShiftLeft customers experienced a median scan time of 2 minutes and 20 seconds. With shorter scan times, 46% of applications are scanned at least weekly and 17% are scanned at least daily.
- Prioritizing findings for modern applications – Legacy analysis tools generate a large number of false positives that can overwhelm AppSec and development teams. When open source vulnerabilities are prioritized by accounting for true “reachability,” organizations reduce the number of their SCA tickets by an average of 92%.
- Fix-rates for managed CI/CD – When increasing the speed and frequency of scans and prioritizing SCA tickets, ShiftLeft found enterprises that tightly integrate security testing within their CI/CD pipeline fix 91.4% of new issues. Overall, customers fixed 58% of new issues before they became technical debt.
- Security fixes by type – As organizations fix a higher number of vulnerabilities in their applications, 86% of these fixes were for critical or well-known issue classes. The most fixed issue types were all in the OWASP Top Ten.
Application security is still commonly performed with outdated SAST technology that takes hours or days to execute. While SCA tools may find risk in OS libraries, they often fall short of determining whether vulnerabilities are actually reachable.
In today’s modern, digital business era, enterprises require a combination of intelligent, prioritized SCA and SAST tools to manage risk at the speed of DevOps.