Bill Gates is well known for treating time as a scarce resource, and in 1994, John Seabrook published a piece in The New Yorker detailing an email exchange he carried on with the famous technologist. Seabrook notes that Gates’ reverence for time was evident in his correspondence – skipping salutations and pleasantries, leaving spelling mistakes and grammatical errors in-line, and never addressing the journalist by his name. In one of the emails, Gates wrote that, “the digital revolution is all about facilitation – creating tools to make things easy.”
Software is the heart of the global economy, and it has paved the way for increased productivity, simplified workflows, and has helped leaders build businesses beyond their wildest dreams. It has changed the way that security practitioners and developer teams view and manage time, through agile methodology and sprint planning facilitated by tools like JIRA.
Just as minutes, hours, and days can be the difference between meeting sprint deadlines and maintaining speed to market, time is also the difference between preventing a massive data breach and being the victim of one. However, although a cutting-corners approach may work well for email correspondence between colleagues, and perhaps journalists, using this timesaving approach when crafting code has the potential to be downright dangerous. Organizations today need to balance time to market and code quality, which includes code security.
How organizations reduced mean time to remediation and saw a 63% ROI with Veracode
We recently commissioned the Forrester Total Economic ImpactTM of Veracode Application Security Platform to learn how our customers’ security and developer teams are strengthening the security posture of their applications by reducing mean time to remediation (MTTR) by implementing DevSecOps practices using our solutions. Based on interviews with Veracode customers in insurance, healthcare, finance, and information technology services, Forrester created a TEI framework, composite company, and an associated ROI analysis to illustrate financial impact.
The report found that prior to using Veracode, the composite organization experienced 60 flaws per MB of code, though they were using other application security testing solutions. After adopting the Veracode Platform and integrating tools into their CI/CD pipeline, the composite saw a reduction in security flaws of 50 percent to 90 percent over three years.
Additionally, by implementing DevSecOps practices, building stringent security controls, and integrating vulnerability testing into their CI/CD pipeline, our customers were able to reduce mean time to remediation by 90 percent. Resolutions that previously took 2.5 hours on average were reduced to 15 minutes, helping developers reduce their time spent remediating flaws by 47 percent. This stands to reason, given that our State of Software Security Volume 9 (SOSS Vol. 9) found that the most active DevSecOps teams fix flaws 11.5x faster than the typical organization.
By using Veracode Static Analysis IDE Scan and Veracode Software Composition Analysis, developer teams were able to identify issues while they were coding, which reduced the likelihood that flaws would enter later stages of production. What’s more, our customers’ developer teams introduced fewer flaws to their code, and those flaws took less time to resolve because we offered them contextual information related to the data path and call stack information of their code.
It’s not enough to find security flaws quickly if you’re not remediating the right ones quickly
Most companies prioritize high-severity and critical vulnerabilities because they are less complicated to attack, offer greater opportunity for complete application compromise, and are more likely to be remotely exploitable. The trouble is that if a low-severity vulnerability is present in the execution path, it may put your application at greater risk than a high-severity vulnerability if your application is never calling upon that severe vulnerability in the first place. The exploitability of a vulnerability is a critical consideration many organizations overlook.
In our analysis of flaw persistence in SOSS Vol. 9, we found that organizations hit the three quarters-closed mark about 57 percent sooner for high and very high severity vulnerabilities than for their less severe counterparts. In fact, our scan data indicates that low-severity flaws were attended to at a significantly slower rate than the average speed of closure. It took organizations an average of 604 days to close three quarters of these weaknesses.
With many tools out there, developers will receive an extremely large list of vulnerabilities, including those open source libraries packaged in your application, and they will have to make a judgment call on what to fix first – and how much is worth fixing before pushing to production. The stark reality is that the time it takes developers to fix security flaws has a much larger impact on reducing risk than any other factor.
Veracode offers developers the opportunity to write secure code, limit the vulnerabilities introduced into production, and prioritize vulnerabilities with our vulnerable method approach, expert remediation coaching, and security program managers. To learn more about how the Veracode Platform enables security and development teams to work in stronger alignment, reduce mean time to remediation, and boost an organization’s bottom line, download the Forrester Total Economic ImpactTM of Veracode Application Security Platform.