ShiftLeft, an innovator in automated application security testing, released its second annual AppSec Progress Report documenting critical trends in application security and how organizations are shifting security left to deal with the ever-rising volume of attacks and disclosed vulnerabilities. The report covers year-over-year trends and general findings analyzed from millions of scans last year using the ShiftLeft CORE platform across applications running numerous programming languages in different technology architectures including cloud native, on-premise and hybrid configurations.
Key findings from the report include:
- 97% reduction in open source software (OSS) vulnerabilities — By identifying and prioritizing OSS vulns that are actually attackable, AppSec teams and developers fix what matters, ship code faster and actually improve security with fewer, better fixes.
- 37% YoY reduction in Mean-Time-to-Remediate (MTTR) — Laser focus on attackability and reduced false positives allows developers to make fixes faster and reduce MTTR. This improves security posture and reduces the likelihood of attacks by reducing the time that vulnerabilities are exposed. In fact, ShiftLeft found that development teams were fixing 76% of attackable vulnerabilities within two sprints (12 days).
- 90 second median scan time — Rapid scans enable teams to scan more frequently, improving security coverage for fast iterating applications and enabling better coverage of very large applications that previously required hours or days to scan.
- Significant increase in scan frequency —- Faster scans, automated insertion in CI pipelines, and greater scan coverage across more languages, also enabled AppSec teams to shift from scanning for vulnerabilities monthly or weekly to daily scans. The report tracked 68% increase year-over-year in daily scans.
- Estimated vulnerable Log4J exposure at only 4% — Due to the pervasive and widespread nature of Log4J, many application security teams struggled to identify all instances of the logging library in their application stack. Obscured and nested instances (in JAR files, for example) caused particular problems. ShiftLeft analyzed scans for the Log4J vulnerability and mapped actual data flows through production applications by combining the results of Static Application Security Testing (SAST) analysis and Software Composition Analysis (SCA). The analysis found that only 4% of all Log4J instances were vulnerable. Teams that had this information saved months of wasted time hunting down and fixing Log4J instances that posed little or no risk.
The report highlights how shifting application security left to engage developers earlier in the software development lifecycle results in faster fixes and less wasted energy prioritizing and fixing vulnerabilities that pose little to no risk. The report also underscores the importance of a holistic technology approach that integrates both SAST and SCA to provide a clear picture of attackability and subsequent prioritization of security fixes to reduce focus to fixing what matters.
“Based on our findings, two out of three development teams are literally wasting time on the 97% of fixes that are not attackable and provide little security benefit,” said Manish Gupta, CEO at ShiftLeft. “On the other hand, teams that shift security left and focus on attackability ship more secure code, more frequently. This clearly improves the security of their applications while also improving developer productivity and product velocity.”
ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left. A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California.