As a developer, working through your team's bug backlog can sometimes feel like bailing out a rowboat with only a leaky bucket. As a security leader, working through the backlog for your entire application portfolio can feel like bailing out a sinking ship with that same bucket. You are able to fix vulnerabilities, but the increased rate of code deployment across your organization leads to a backlog that is difficult to contain.
A critical component of any application security testing solution is its ability to deliver the quickest possible turnaround for catching and resolving issues -- allowing you to mitigate risk and keep your ship afloat.
In the middle of last year, Veracode published its 9th volume of State of Software Security. They analyzed the rate at which teams, using their Static Analysis Security Testing (SAST) tool, fixed vulnerabilities. Here are three key stats from the report:
- Veracode customers fixed just under 30% of vulnerabilities in the first month after their initial discovery
- Nearly 55% of vulnerabilities persisted more than three months after discovery
- Only about 70% of vulnerabilities were closed within a year from discovery
At Contrast, we are obsessed with the idea that modern software necessitates a new model for security testing. Our customers report that Contrast uniquely empowers developers and security leaders to find and fix vulnerabilities faster than their legacy tools. To quantify how much faster, we had our Data Labs team run a similar analysis to measure our customers' fix velocity. Looking at a sample of nearly half a million vulnerabilities reported over the course of the previous 12 months, here is what we found:
- Contrast customers fixed 58% of vulnerabilities within the first month from discovery
- Only 33% of vulnerabilities persisted more than 3 months after discovery
- Contrast customers closed 70% of all vulnerabilities within the first 96 days from discovery
These results are staggering and one reason why Agile / DevOps teams prefer Contrast. The benefits of delivering security that is embedded right into your code are numerous, from improved accuracy, through better automation, to increased scalability. These benefits are indisputable, but what is more important is the business outcomes they enable. Reducing more of your vulnerability backlog, and doing so faster, directly translates into cost savings, accelerated time-to-market, and overall reduced risk.
A key driver influencing your time to fix metric is ensuring developers are empowered to be self-sufficient. Self-sufficiency is achieved when developers do not have to rely on security experts to find, triage, and fix vulnerabilities (pro tip: if developers are asked to sit in on long readout calls with your vendor’s security consultants, then you already know that your time to fix metrics will be prolonged). Looking at our data, we found that development teams using Contrast were able to fix 70% of their vulnerabilities in less than ⅓ of the time. Or, in other words, they fixed vulnerabilities more than 3x faster than with SAST! At Contrast, we like to think of this reality as creating a “new normal” for development and security teams. A new normal in which you rescue your organization from sinking under the weight of an ever-rising backlog while making real headway towards improving its overall security posture. We believe this “new normal” is better.