/may 27, 2020

Frequency, Speed, and Accuracy Are a Match Made in AppSec Heaven

By Meaghan Mcbee

“Make it work, make it right, make it fast.” These words from renowned software engineer Kent Beck will always ring true for developers, especially with the pace of development picking up, not slowing down. A GitLab survey from last year showed nearly half (43 percent) of respondents deploy software on-demand or multiple times per day – that’s nonstop grinding to produce good code. But simply writing good code is not enough. Software developers must work smarter and faster if they want to stay one step ahead of attackers and meet tight deployment timelines in the process.

Aside from looming deadlines and threat actors who don’t sleep, where is the disconnect? In our 10th annual State of Software Security report (SOSS X), we discuss how some developers follow LIFO (Last In, First Out) or FIFO (First In, First Out) methodologies for fixing security flaws that they find when they scan their code. While these methods may work for some organizations, our data paints a clear picture: the chance of a security flaw being fixed in the first month is only about 22 percent for most organizations. It drops to 10 percent for the second month, then 3 to 5 percent the longer teams wait to revisit said flaw.

With the LIFO method, some development teams are prioritizing newer flaws over older flaws, yet their age doesn’t matter in many cases; they’re all threatening in their own way. And with the FIFO method, new flaws may pile up as teams focus on the vulnerabilities that they discovered first by assuming they take precedence. These methods are lacking an essential step: prioritization.

Fixing the right flaws, fast

The better approach is to scan frequently and fix the right flaws fast as they appear on the radar. Data from SOSS X shows us that frequent scanners (300+) have 5 times less security debt than infrequent scanners. Additionally, frequent scanners see a 3 times reduction in median time to remediation (MedianTTR).

The key to this approach? A comprehensive AppSec solution that blends security testing into each stage of the development pipeline and automates tasks wherever possible. It means you’re giving development teams the right scan, at the right time, in the right place so they can keep working, learning, and improving their code without halting projects.


That’s where the Veracode Static Analysis family of solutions comes into play, with automated security feedback right in the IDE and the pipeline to improve code as developers work. It also conducts a full policy scan before your team moves forward to deployment, providing a clear window into the flaws that developers should be focusing on directly as well as an audit trail for compliance. Here’s a breakdown:

My code. Feedback in the IDE is fast, showing up immediately while developers code. Not only are they then finding and fixing flaws as they work, but they’re learning what to do differently next time to avoid the buildup of flaws (and security debt) down the road. The Veracode Static Analysis IDE Scan returns results in 3 seconds on average and offers guidance for remediation, code examples, and links to Veracode AppSec Tutorials too, encouraging developers to improve every step of the way.

Our code. Within a median time of 90 seconds, the Veracode Static Analysis Pipeline Scan runs on every build and offers code feedback at the team level. The feedback is fast, pointing out flaws that are introduced on new commits, and providing insight into when teams need to break the build to remediate policy-violating flaws. Even better: it’s easy for development teams to adopt and learn how to use, so it won’t slow them down.

Production code. The Veracode Static Analysis Policy Scan in the CD pipeline is the icing on the cake. It conducts a full assessment of the code in about 8 minutes, on average. This scan provides an audit trail to satisfy compliance needs and gives a clear picture of the overall health of your application. It runs without manual tooling on the Veracode Static Analysis Engine, and it even has an impressive false-positive rate of less than 1.1 percent.

When it comes to false positives, reducing the rate of these pesky alarms is critical to improving speed and developer poise. The industry-leading 1.1 percent false-positive rate (without no tuning required) from Veracode Static Analysis, which is verified by thousands of scanned applications and customer data, is a whole lot faster than our competition’s 32 percent false-positive rate. That accuracy means you’re giving developers back time they would otherwise spend chasing down false flags so that they can focus on what matters most to their team and to the organization.

Upping your AppSec game

Frequency? Check. Speed? Check. Accuracy? Check. Veracode Static Analysis checks all the boxes for improving the security and quality of developer code, and then some. Standardizing on one SaaS solution that leans on automation and easy integration means this isn’t just a pipe dream. It’s achievable – even amidst accelerated shifts to digital – and we’re pretty sure it would make Kent Beck proud.  

Check out our whitepaper for more information on the Veracode Static Analysis family and how it can help you manage your AppSec risk in world where frequency, speed, and accuracy matter most.

Related Posts

By Meaghan Mcbee

Meaghan McBee is a Senior Content Marketing Manager at Veracode, responsible for creating content around best practices in application security and the current state of DevSecOps.