Having spent 15 years detecting malware — virus, intrusions, worms, nation-state attacks, etc — I learned that much of security is reactive. We let the bad guy shoot first and then try to figure out how we are going to protect ourselves. Software vulnerabilities are one of the most important problems in security and if, as a thought experiment, we could eliminate vulnerabilities in software, cyber would be a much safer place. It is with this goal — reduce vulnerabilities in software — that I started ShiftLeft.
Reducing software security risk requires a rethink on how we analyze software because modern software is much different — microservices, the rise of APIs and open source, and the pace and automation of software development to name a few. This requires a new approach to analyzing software and a collaborative workflow between AppSec and Developers that serve the unique requirements of both parties yet allows them to work together to reduce vulnerabilities.
How do we measure whether ShiftLeft is achieving its goal? The #1 metric in AppSec is “how many vulnerabilities are getting fixed and how quickly”. And I am proud to announce today the release of our first “AppSec Shift Left Progress Report” that summarizes the experience of our customers over the last 12 months.
My favorite statistic: “ShiftLeft customers who have automated ShiftLeft in their CI/CD pipeline are fixing 91.4% of new vulnerabilities within two sprints”!
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Manish Gupta. Read the original post at: https://blog.shiftleft.io/progress-in-numbers-our-first-customer-report-664a15204e63?source=rss----86a4f941c7da---4