In the age of digital transformation, every company has become a software company. And with software comes vulnerabilities and malicious attackers who will try to exploit them. These digital enterprises have been seeking a way to pre-empt, prevent, and defend themselves against these attacks–a way to shift security left.
The concept and process of shifting left has been everywhere lately. The RSA Conference 2022 just wrapped up in San Francisco, and it seemed every security vendor touted how they help shift left. Rather than a bolt-on after the fact, the shift left makes cyber security a first-class citizen in digital business. And the goal is to be proactive and prevent or fix security issues before they are attackable by a threat actor.
The earlier you identify security issues, the less risk the organization is exposed from the start to, the less they will cost to resolve, and the easier they will be to fix. Companies who are shifting left see this statement holding true.
In application security, shifting left means making your app development a de facto part of your security strategy. By giving developers the ability to find and fix security vulnerabilities that expose the biggest risk to the company, teams can achieve the goal of shifting left and see real business value.
The process of shifting left begins with the need to establish a baseline–metrics used to measure their application security progress. How many vulnerabilities exist in our applications? How many of those are attackable? How quickly are they being fixed?
Despite having a wealth of security tooling, many organizations find themselves unable to answer this question.
By implementing DevSecOps processes and shifting security left and into developers hands, we have seen significant improvements to their remediation efforts. These include:
- When considering open source vulnerabilities (remediation of which falls to developers), 97% of them were not attackable and didn’t present risk to the business. So they didn’t need to be fixed immediately.
- Over two years, we’ve seen organizations reduce their mean time to remediate (MTTR) issues from 19 days to 12 days–eliminating a full work week of security fixes in exchange for better productivity and innovation.
- When AppSec provides daily feedback from application scans, development teams are fixing 76% of vulnerabilities within the sprint that they’re found – meaning typically within 14 days.
- Teams that shift left are better prioritizing their technical debt and backlog, focusing on remediating real risk and innovating instead of wasting time. Of the customers who have shifted left, organizations are reporting that only 1 in 3 application teams have vulnerabilities which are attackable.
Here at ShiftLeft, we’ve been granted a front row seat to work with organizations as they shift left. It’s that perspective that has given us the ability to see the results that come from the people, processes, and technologies available. And we’re incredibly excited to see where the shift left takes security over the next year.
Download the 2022 AppSec Progress Report Here
If your application security and dev teams are looking to shift left, we want to be your partners. Please reach out to get a demo of our platform and discuss how we can help your team shift left successfully.