According to new research only three percent of ‘critical’ code vulnerabilities are attackable, which means developers should be able to better prioritize efforts and significantly reduce their workload.
The study from automated security testing firm ShiftLeft finds that focusing on the three percent allows teams to greatly speed up and simplify efforts. ShiftLeft saw a 37 percent improvement from last year in mean time to remediate new vulnerabilities with a median scan time of 1 minute 30 seconds.
Faster scans, automated insertion in CI pipelines, and greater scan coverage across more languages, also enabled AppSec teams to shift from scanning for vulnerabilities monthly or weekly to daily scans. The report tracked a 68 percent increase year-on-year in daily scans.
By identifying and prioritizing OSS vulnerabilities that are actually attackable, AppSec teams and developers fix what matters, ship code faster and actually improve security with fewer, better fixes.
“Based on our findings, two out of three development teams are literally wasting time on the 97 percent of fixes that are not attackable and provide little security benefit,” says Manish Gupta, CEO at ShiftLeft. “On the other hand, teams that shift security left and focus on attackability ship more secure code, more frequently. This clearly improves the security of their applications while also improving developer productivity and product velocity.”
ShiftLeft also looked specifically at scans for the Log4J vulnerability and mapped actual data flows through production applications by combining the results of Static Application Security Testing (SAST) analysis and Software Composition Analysis (SCA). This analysis found that only four percent of all Log4J instances were in fact vulnerable. Teams that had this information saved months of wasted time hunting down and fixing Log4J instances that posed little or no risk.
The full report is available from the ShiftLeft site.
Image credit: Shveyn Irina / Shutterstock