ShiftLeft Upgrades NG SAST

July 10, 2020

ShiftLeft released a new version of NextGen Static Analysis (NG SAST), including new workflows, purpose-built for developers that significantly improve security, while enhancing productivity. ShiftLeft’s customer data confirms that developer productivity suffers when security isn’t automated and seamlessly integrated into the software development lifecycle (SDLC).

Security productivity challenges are rooted in the disconnect between the modern SDLC and the incremental improvements from legacy application security tools, which were designed for ad hoc scanning in the legacy waterfall mode of software development. With staffing ratios often in excess of 200 developers for every AppSec professional, scaling security to meet the requirements of the agile SDLCs requires increasing both developer engagement and efficiency.

Developers Overwhelmingly Believe Disconnect with Security Inhibits Productivity

In a new survey of over 165 developers, AppSec and DevOps professionals, ShiftLeft found that 96% of developers believe the disconnect between developer and security workflows inhibits developer productivity. Furthermore, when asked to prioritize, AppSec professionals ranked creating developer-friendly security workflows as their top priority, which was even higher than protecting applications in production environments.

“Deprioritization of security has been the most common approach to balancing AppSec with developer productivity because automating security in developer workflows has historically been prohibitively expensive for all but the most elite security organizations,” said Izak Mutlu, former VP of Information Security at “ShiftLeft’s NG SAST combines industry-leading scan speed, accuracy and a seamless workflow for rapid collaboration between development and AppSec teams so organizations of all sizes can run their AppSec initiatives at the pace of software development.”

The rise of long-term and permanent remote work has increased the amount of business being done online, therefore increasing the number of web properties and applications that need to be developed and supported. As organizations demand software to be built and delivered at an ever-increasing velocity, enhancing developer productivity while enhancing security is critical. The survey revealed that performing security scans too late in the SDLC (89.7%) and lack of remediation guidance (87.7%) are also significant inhibitors to developer productivity.

ShiftLeft’s New Developer-Driven Workflows Significantly Increase Productivity and Quality of Application Security

To scale security and address developer productivity challenges, ShiftLeft’s new version of NG SAST delivers holistic workflows with developer engagement and productivity as a first principle. The new developer-driven security workflow relies on the git-based process that developers already use to write and update code.

This allows organizations to:

Automate code analysis with every pull/merge request

Deliver immediate and accurate security feedback directly to each developer making the change

Enable developers to fix vulnerabilities, in the same way they address bugs, without leaving their development environment

Enable AppSec teams to write security-focused build rules that accept or deny merges, thereby allowing AppSec to scale

Help developers adopt secure coding best practices through Security Insights

Eliminate scanning bottlenecks with unlimited concurrent scans

Protect intellectual property by scanning without taking source code outside of their organization

Rapidly deploy with self-service on-boarding that doesn’t require network architecture updates, new firewall configurations or expensive professional services

Further customize workflows through comprehensive APIs

This developer-centric approach to code analysis greatly increases security and productivity by delivering the right vulnerability to the right developer at the right time. Mean time to remediation (MTTR) is reduced because vulnerabilities get fixed while the code is still fresh in the developers’ minds, and vulnerable code doesn’t become deeply interconnected because security build rules prevent it from entering the master branch.

“ShiftLeft's NextGen Static Analysis gave us the speed and accuracy that we needed to create security feedback loops for our development team without altering their workflows. By scanning every pull request our software engineers are able to fix vulnerabilities far more efficiently,” said Thomas Heuckeroth, VP CyberSecurity at The Emirates Group. “Not only are we seeing month-over-month decline in MTTR, but it’s now common for vulnerabilities to get fixed in the same sprint they are found and, most importantly, our engineers really like the process.”

ShiftLeft customers who automate NG SAST at the pull request increase scanning frequency by 110X over the industry average. Furthermore, by providing security feedback in the developer’s workflow, customers experience a 4.9X reduction in MTTR, within 90 days of going live. The result is 70% of new vulnerabilities get fixed in a typical three week sprint before making it into production. By spending less time on fixing vulnerabilities and more time writing new code, developers can increase productivity while enhancing security.

“The only way to deliver security at the pace of modern SDLCs is to create a culture of individual developer accountability for the security of the code they write. However, this demands new AppSec solutions purpose-built for today’s requirements,” said Manish Gupta, CEO of ShiftLeft. “Based on our new survey, it’s clear developers feel ad hoc security processes and the tools they have available to them today aren’t helping. We’ve always put productivity and security at the foundation of our platform, and our customers’ results demonstrate that the new workflow is significantly improving their security postures while increasing developer productivity.”

Terms of Use | Copyright © 2002 - 2020 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement