/mar 19, 2020

To Scan or Not to Scan? Why Frequency Matters for DevSecOps

By Meaghan Mcbee

Frequency matters. We know from our 10th annual State of Software Security report (SOSS) that when development teams scan their code for security more than 300 times per year, they can reduce their security debt by five times. That’s five times less risk carried around by developers, freeing them up to focus on improving processes and tackling the most dangerous vulnerabilities.

Recently, Veracode’s Chris Wysopal and Paul Farrington sat down with IDG for a podcast deep dive into these and other findings from our 10th edition of SOSS. In Frequency Matters: The Case for Scanning Early and Often, Chris and Paul discuss what scanning frequency means for creating a security-minded culture, and best practices for bringing regular scanning into DevSecOps processes.

So, what’s at the heart of this growing problem with security debt? On top of irregular scanning cadences, more organizations need to prioritize establishing clear processes and ask business decision-makers to take application security seriously. That, in part, means giving developers credit for their work and showing that they’ll be rewarded for making positive shifts in application security.

Encouraging business leaders to pour more time and resources into development teams only supports the objectives and goals that lead to more secure software. In part one of Frequency Matters, Veracode’s EMEA CTO Paul Farrington explains that when the technical aspects and processes of DevSecOps are embraced by internal teams, their fix rate is 11.5 times faster than teams that don’t embrace DevSecOps.

What does that mean in the long run? Faster fixes and fewer flaws lead to less security debt, which is a big problem plaguing organizations across all industries. In the second part of Frequency Matters, Veracode CTO Chris Wysopal sheds more light on the mounting security debt caused by persistent flaws that build up over long periods.

“We saw that medium severity flaws actually got fixed faster than high severity flaws, which seemed a little strange,” Chris explains, speaking of the findings in SOSS X. “But we did see the correlation between scan cadence and scan pattern; that correlation was much stronger.”

In order to build secure software, organizations can’t rely on prioritization alone. Instead, Chris says, businesses should have practices in place that are built into the software process to get ahead of vulnerabilities and stifle security debt.

Moreover, it’s essential that security and development teams break down their silos to build relationships across departments. With frequent scanning early and often, open discussions with management across departments, and a shifted focus on prioritization, reversing security debt is possible. 

Want to learn more? Listen to both parts of Frequency Matters and the other episodes in this series to learn about the state of application security.


Related Posts

By Meaghan Mcbee

Meaghan McBee is a Senior Content Marketing Manager at Veracode, responsible for creating content around best practices in application security and the current state of DevSecOps.