ShiftLeft on Thursday posted a few rare positive news on the AppSec front by reporting that based on millions of scans of its customers, they have seen a 97% reduction in open source software (OSS) vulnerabilities.
Researchers said that by identifying and prioritizing OSS vulnerabilities that are truly attackable, AppSec teams and developers can now fix what matters, ship code faster, and improve security with fewer, higher-quality patches.
In other important findings, ShiftLeft’s report states that by focusing on the attack and reducing false positives, developers can deliver fixes faster and reduce mean time to resolution (MTTR). ShiftLeft reported a 37% reduction in MTTR year-over-year, which they claim improves overall security and reduces the likelihood of attacks by reducing the time vulnerabilities are exposed.
The report also highlighted that quick scans now allow security teams to scan more frequently, improving security by enabling better coverage of very large applications that previously required hours or days of scanning. Overall, ShiftLeft reported a median scan time of 90 seconds.
Casey Bisson, product and developer relations manager at BluBracket, said this report from ShiftLeft highlights how the combination of people, processes, and tools can improve application and code security outcomes, especially when the use of open source code and software. Bisson said automated, real-time analysis of every commit has become an integral part of the CI process and the most efficient way to give developers the feedback they need to improve security during development and before deployment.
“In general, we find that teams that put security first perform better regardless of what solutions they use,” Bisson said. “The problem is that they are in the minority. Greater awareness of ongoing code and application security issues is essential, which is why, for example, we have partnered with the Linux Foundation to help secure software at source. It’s critical to make security easy enough that teams don’t have to work hard to prioritize it. »
Scott Gerlach, co-founder and CSO at StackHawk, said changes in MTTR are positive indicators of improvement, but show how much more needs to be done. Gerlach said that while we’re still sending vulnerabilities to production to find them and then coming back to fix them, it’s not moving left.
“It’s best to improve the old-fashioned way,” Gerlach said. “Leading organizations are giving developers the tools and information to patch those same 76% of attackable vulnerabilities while they were writing the software. This means we release high-quality software and have room in the next two sprints to work on features instead of rework.