Teams that shift security left and focus on attackability ship more secure code

ShiftLeft released its second annual AppSec Progress Report documenting critical trends in application security and how organizations are shifting security left to deal with the ever-rising volume of attacks and disclosed vulnerabilities.

97% reduction in open source software (OSS) vulnerabilities

By identifying and prioritizing OSS vulns that are actually attackable, AppSec teams and developers fix what matters, ship code faster and actually improve security with fewer, better fixes.

37% YoY reduction in Mean-Time-to-Remediate (MTTR)

Laser focus on attackability and reduced false positives allows developers to make fixes faster and reduce MTTR. This improves security posture and reduces the likelihood of attacks by reducing the time that vulnerabilities are exposed. In fact, ShiftLeft found that development teams were fixing 76% of attackable vulnerabilities within two sprints (12 days).

90 second median scan time

Rapid scans enable teams to scan more frequently, improving security coverage for fast iterating applications and enabling better coverage of very large applications that previously required hours or days to scan.

Significant increase in scan frequency

Faster scans, automated insertion in CI pipelines, and greater scan coverage across more languages, also enabled AppSec teams to shift from scanning for vulnerabilities monthly or weekly to daily scans. The report tracked 68% increase year-over-year in daily scans.

Estimated vulnerable Log4j exposure at 4%

Due to the pervasive and widespread nature of Log4j, many application security teams struggled to identify all instances of the logging library in their application stack. Obscured and nested instances (in JAR files, for example) caused particular problems. ShiftLeft analyzed scans for the Log4j vulnerability and mapped actual data flows through production applications by combining the results of Static Application Security Testing (SAST) analysis and Software Composition Analysis (SCA). The analysis found that only 4% of all Log4j instances were vulnerable. Teams that had this information saved months of wasted time hunting down and fixing Log4j instances that posed little or no risk.

“Based on our findings, two out of three development teams are literally wasting time on the 97% of fixes that are not attackable and provide little security benefit,” said Manish Gupta, CEO at ShiftLeft. “On the other hand, teams that shift security left and focus on attackability ship more secure code, more frequently. This clearly improves the security of their applications while also improving developer productivity and product velocity.”

The report highlights how shifting application security left to engage developers earlier in the software development lifecycle results in faster fixes and less wasted energy prioritizing and fixing vulnerabilities that pose little to no risk. It also underscores the importance of a holistic technology approach that integrates both SAST and SCA to provide a clear picture of attackability and subsequent prioritization of security fixes to reduce focus to fixing what matters.