ShiftLeft, Inc., an innovator in automated application security, released a new version of NextGen Static Analysis (NG SAST), including new workflows, purpose-built for developers that significantly improve security, while enhancing productivity. ShiftLeft’s customer data confirms that developer productivity suffers when security isn’t automated and seamlessly integrated into the software development lifecycle (SDLC).
Security productivity challenges are rooted in the disconnect between the modern SDLC and the incremental improvements from legacy application security tools, which were designed for ad hoc scanning in the legacy waterfall mode of software development. With staffing ratios often in excess of 200 developers for every AppSec professional, scaling security to meet the requirements of the agile SDLCs requires increasing both developer engagement and efficiency.
Developers Overwhelmingly Believe Disconnect with Security Inhibits Productivity
In a new survey of over 165 developers, AppSec and DevOps professionals, ShiftLeft found that 96% of developers believe the disconnect between developer and security workflows inhibits developer productivity. Furthermore, when asked to prioritize, AppSec professionals ranked creating developer-friendly security workflows as their top priority, which was even higher than protecting applications in production environments.
“Deprioritization of security has been the most common approach to balancing AppSec with developer productivity because automating security in developer workflows has historically been prohibitively expensive for all but the most elite security organizations,” said Izak Mutlu, former VP of Information Security at Salesforce.com. “ShiftLeft’s NG SAST combines industry-leading scan speed, accuracy and a seamless workflow for rapid collaboration between development and AppSec teams so organizations of all sizes can run their AppSec initiatives at the pace of software development.”
The rise of long-term and permanent remote work has increased the amount of business being done online, therefore increasing the number of web properties and applications that need to be developed and supported. As organizations demand software to be built and delivered at an ever-increasing velocity, enhancing developer productivity while enhancing security is critical. The survey revealed that performing security scans too late in the SDLC (89.7%) and lack of remediation guidance (87.7%) are also significant inhibitors to developer productivity.
ShiftLeft’s New Developer-Driven Workflows Significantly Increase Productivity and Quality of Application Security
To scale security and address developer productivity challenges, ShiftLeft’s new version of NG SAST delivers holistic workflows with developer engagement and productivity as a first principle. The new developer-driven security workflow relies on the git-based process that developers already use to write and update code. This allows organizations to:
- Automate code analysis with every pull/merge request
- Deliver immediate and accurate security feedback directly to each developer making the change
- Enable developers to fix vulnerabilities, in the same way they address bugs, without leaving their development environment
- Enable AppSec teams to write security-focused build rules that accept or deny merges, thereby allowing AppSec to scale
- Help developers adopt secure coding best practices through Security Insights
- Eliminate scanning bottlenecks with unlimited concurrent scans
- Protect intellectual property by scanning without taking source code outside of their organization
- Rapidly deploy with self-service on-boarding that doesn’t require network architecture updates, new firewall configurations or expensive professional services
- Further customize workflows through comprehensive APIs
This developer-centric approach to code analysis greatly increases security and productivity by delivering the right vulnerability to the right developer at the right time. Mean time to remediation (MTTR) is reduced because vulnerabilities get fixed while the code is still fresh in the developers’ minds, and vulnerable code doesn’t become deeply interconnected because security build rules prevent it from entering the master branch.
“ShiftLeft’s NextGen Static Analysis gave us the speed and accuracy that we needed to create security feedback loops for our development team without altering their workflows. By scanning every pull request our software engineers are able to fix vulnerabilities far more efficiently,” said Thomas Heuckeroth, VP CyberSecurity at The Emirates Group. “Not only are we seeing month-over-month decline in MTTR, but it’s now common for vulnerabilities to get fixed in the same sprint they are found and, most importantly, our engineers really like the process.”
ShiftLeft customers who automate NG SAST at the pull request increase scanning frequency by 110X over the industry average. Furthermore, by providing security feedback in the developer’s workflow, customers experience a 4.9X reduction in MTTR, within 90 days of going live. The result is 70% of new vulnerabilities get fixed in a typical three week sprint before making it into production. By spending less time on fixing vulnerabilities and more time writing new code, developers can increase productivity while enhancing security.
“The only way to deliver security at the pace of modern SDLCs is to create a culture of individual developer accountability for the security of the code they write. However, this demands new AppSec solutions purpose-built for today’s requirements,” said Manish Gupta, CEO of ShiftLeft. “Based on our new survey, it’s clear developers feel ad hoc security processes and the tools they have available to them today aren’t helping. We’ve always put productivity and security at the foundation of our platform, and our customers’ results demonstrate that the new workflow is significantly improving their security postures while increasing developer productivity.”
ShiftLeft’s NextGen Static Analysis (NG SAST), purpose-built to insert security into developer workflows. NG SAST’s speed and accuracy enables security automation with every pull request, which provides the right developer with the right vulnerability information at the right time. Hence, vulnerabilities get fixed faster and earlier, which drives down mean-time-to-remediation (MTTR), reduces attack surfaces and minimizes technical debt accrual. Furthermore, NG SAST goes beyond technical vulnerabilities (e.g., The OWASP Top Ten) to identify cloud-centric vulnerabilities that traditional static analysis tools can’t find, such as business logic flaws, data leakage, hard-coded literals and insider threats.
To learn how ShiftLeft keeps application security in sync with the rapid pace of DevOps, see https://www.shiftleft.io/.