To Scan or Not to Scan? Why Frequency Matters for DevSecOps

Frequent scans reduce security debt, helping to speed up your processes

to scan or not to scan

Frequency matters. We know from our 10th annual State of Software Security report (SOSS) that when development teams scan their code for security more than 300 times per year, they can reduce their security debt by five times. That’s five times less risk carried around by developers, freeing them up to focus on improving processes and tackling the most dangerous vulnerabilities.

Recently, Veracode’s Chris Wysopal and Paul Farrington sat down with IDG for a podcast deep dive into these and other findings from our 10th edition of SOSS. In Frequency Matters: The Case for Scanning Early and Often, Chris and Paul discuss what scanning frequency means for creating a security-minded culture, and best practices for bringing regular scanning into DevSecOps processes.

So, what’s at the heart of this growing problem with security debt? On top of irregular scanning cadences, more organizations need to prioritize establishing clear processes and ask business decision-makers to take application security seriously. That, in part, means giving developers credit for their work and showing that they’ll be rewarded for making positive shifts in application security.


Copyright © 2020 IDG Communications, Inc.