Nature vs. Nurture Tip 2: Scan Frequently and Consistently

In our first blog in this series, Nature vs. Nurture Tip 1: Use SAST With DAST, we discussed how this year’s State of Software Security (SOSS) report looked at how both “nature” and “nurture” contribute to the time it takes to close out a security flaw. We found that the “nature” of applications – like size or age – can have a negative effect on how long it takes to remediate a security flaw. But, in contrast, we found that there is some “nurturing” – like using dynamic application security testing (DAST) with static application security testing (DAST) – that can have a positive effect on how long it takes to remediate security flaws (even if the “nature” is less than ideal).

Aside from using SAST with DAST, the second most impactful way to “nurture” the security of applications is by scanning for security frequently. Our SOSS research found that organizations that scan their applications infrequently (less than 12 times in a year) spent about 7 months to close half their open security findings, while organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of security flaws in 2 months.

And it doesn’t just pay to scan frequently, scanning consistently also reduces time to remediation. In fact, organizations that scan with a steady cadence remediate flaws – on average – 15.5 days faster. 

Why does scanning frequently and consistently improve time to remediation?

Frequent, steady scanning are attributes of a DevSecOps approach. With DevSecOps, security is shifted to the beginning of the software development lifecycle (SDLC). By starting AppSec scans early in the SDLC, there is more time – and usually more resources – to remediate flaws prior to production.

Organizations following a DevSecOps approach are also more likely to integrate and automate AppSec scans. By integrating and automating scans into the developers’ existing tools and processes, you can ensure that scans are happening frequently and on a timeline that works best for your organization. Best of all, when you make it easier for developers to scan by implementing automation, developers will have more time to remediate flaws.

What are some steps you can take to improve your scan frequency and cadence?

If your organization follows a waterfall approach, chances are, you are scanning sporadically around big releases. Ideally, you want to move toward a DevSecOps approach and scan early and often, not just before a big release. But if your organization isn’t able to implement daily scans, a practical next step might be to scan weekly or bi-weekly, and – if you’re not already doing so – consider automating your scans. Just keep in mind that our research shows the more you scan, the faster you remediate flaws.

For more information on the effects of frequent, steady scanning, or for additional tips on “nurturing” the security of your applications, check out our recent State of Software Security report. And be on the lookout for our next blog, Nature vs. Nurture Tip 3!