One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2103296 |
| Date de publication | 2020-12-07 14:28:54 (vue: 2020-12-15 21:05:42) |
| Titre | Nature vs. Nurture Tip 2: Scan Frequently and Consistently |
| Texte |  In our first blog in this series, Nature vs. Nurture Tip 1: Using SAST With DAST, we discussed how this year???s State of Software Security (SOSS) report looked at how both ???nature??? and ???nurture??? contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? like size or age ??? can have a negative effect on how long it takes to remediate a security flaw. But, in contrast, we found that there is some ???nurturing??? ??? like using dynamic application security testing (DAST) with static application security testing (DAST) ??? that can have a positive effect on how long it takes to remediate security flaws (even if the ???nature??? is less than ideal).
Aside from using SAST with DAST, the second most impactful way to ???nurture??? the security of applications is by scanning for security frequently. Our SOSS research found that organizations that scan their applications infrequently (less than 12 times in a year) spent about 7 months to close half their open security findings, while organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of security flaws in 2 months.
And it doesn???t just pay to scan frequently, scanning consistently also reduces time to remediation. In fact, organizations that scan with a steady cadence remediate flaws ??? on average ??? 15.5 days faster.οΎ?
Why does scanning frequently and consistently improve time to remediation?
Frequent, steady scanning are attributes of a DevSecOps approach. With DevSecOps, security is shifted to the beginning of the software development lifecycle (SDLC). By starting AppSec scans early in the SDLC, there is more time ??? and usually more resources ??? to remediate flaws prior to production.
Organizations following a DevSecOps approach are also more likely to integrate and automate AppSec scans. By integrating and automating scans into the developers??? existing tools and processes, you can ensure that scans are happening frequently and on a timeline that works best for your organization. Best of all, when you make it easier for developers to scan by implementing automation, developers will have more time to remediate flaws.
What are some steps you can take to improve your scan frequency and cadence?
If your organization follows a waterfall approach, chances are, you are scanning sporadically around big releases. Ideally, you want to move toward a DevSecOps approach and scan early and often, not just before a big release. But if your organization isn???t able to implement daily scans, a practical next step might be to scan weekly or bi-weekly, and ??? if you???re not already doing so ??? consider automating your scans. Just keep in mind that our research shows the more you scan, the faster you remediate flaws.
For more information on the effects of frequent, steady scanning, or for additional tips on ???nurturing??? the security of your applications, check out our recent |
| Envoyé | Oui |
| Condensat | able about additional age all already also application applications approach appsec are around aside attributes automate automating automation average before beginning best big blog both but cadence can chances check close closing consider consistently contrast contribute daily dast days developers development devsecops discussed does doesn doing dynamic early easier effect effects ensure even existing fact faster findings first flaw flaws following follows found frequency frequent frequently from half happening have how ideal ideally impactful implement implementing improve information infrequently integrate integrating isn just keep least less lifecycle like likely long looked lookout make might mind months more most move nature negative next not nurture nurturing often open organization organizations out pay percent positive practical prior processes production recent reduced reduces release releases remediate remediation report research resources sast scan scanning scans sdlc second security series shifted shows size software some soss spent sporadically starting state static steady step steps take takes testing than third time timeline times tip tips tools toward using usually want waterfall way weekly what when why will works year your |
| Tags | |
| Stories | |
| Notes | β β |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.