Only 3% of app vulnerabilities can be attacked
Duncan is an award-winning editor with over 20 years of journalism experience. After starting his career in technical journalism as editor of Arabian Computer News in Dubai, he has since edited a range of technical and digital marketing publications including Computer Business Review, TechWeekEurope, Figaro Digital, Digit and Marketing Gazette.
ShiftLeft, an innovator in automated application security testing, has released its second annual AppSec progress report documenting critical trends in application security and how organizations are shifting security to the left to address the growing number of attacks and vulnerabilities revealed.
The report covers year-over-year trends and overall findings analyzed from millions of scans last year using the ShiftLeft CORE platform for applications with numerous programming languages across a variety of technology architectures, including cloud-native, on-premise and hybrid configurations. .
Key findings from the report include:
97% fewer open source software (OSS) vulnerabilities — By identifying and prioritizing OSS vulnerabilities that are actually attackable, AppSec teams and developers fix what matters, ship code faster, and actually improve security with fewer, better solutions .
37% YoY reduction in Mean-Time-to-Remediate (MTTR) – Laser focus on attack power and reduced false positives allows developers to apply solutions faster and reduce MTTR. This improves security posture and reduces the likelihood of attacks by reducing the time vulnerabilities are exposed. In fact, ShiftLeft found that development teams resolved 76% of attackable vulnerabilities within two sprints (12 days).
90 seconds median scan time — Rapid scans allow teams to scan more frequently, improving security coverage for fast-repeating applications and enabling better coverage for very large applications that previously took hours or days to scan.
Significant Increase in Scan Frequency — Faster scans, automated insertion into CI pipelines, and greater scan coverage in more languages enabled AppSec teams to move from monthly or weekly scanning to vulnerabilities to daily scans. The report tracked a 68% year-over-year increase in daily scans.
Only 4% exposure to vulnerable Log4J — Due to the ubiquitous and widespread nature of Log4J, many application security teams struggled to identify all instances of the logging library in their application stack. Obfuscated and nested instances (for example, in JAR files) caused certain problems. ShiftLeft analyzed scans for the Log4J vulnerability and mapped actual data flows through production applications by combining the results of Static Application Security Testing (SAST) analysis and Software Composition Analysis (SCA). The analysis found that only 4% of all Log4J instances were vulnerable. Teams with this information saved months of wasted time locating and repairing Log4J instances that presented little or no risk.
The report highlights how shifting application security to developers earlier in the software development lifecycle results in faster fixes and less wasted energy prioritizing and fixing vulnerabilities that pose little to no risk. The report also underlines the importance of a holistic technology approach that integrates both SAST and SCA to provide a clear picture of attackability and subsequent prioritization of security solutions to reduce the focus on solving what matters.
Manish Gupta, CEO of ShiftLeft, said: “Based on our findings, two out of three development teams are literally wasting time on the 97% of fixes that are unattractable and offer little security benefit.
“On the other hand, teams that move security to the left and focus on attackability are sending code more often and more securely. This clearly improves the security of their applications while improving developer productivity and product speed.”
Do you want to renew your digital transformation strategy? Learn more about Week of the digital transformation taking place in Amsterdam, California and London, and discover the key strategies to make your digital endeavors a success.