An EMA survey of 129 software development professionals found that code scanning tools were less effective than developers. For those using code scanning tools, 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools, while continuous training greatly improved code security for over 60% of organizations that adopted it. The survey also found that 70% of organizations are missing critical security steps in their software development lifecycle (SDLC), highlighting a struggle with a shift-left approach.
Despite the fact that new vulnerabilities per year in the National Vulnerability Database have grown over 210% (from 6,487 to 20,139) between 2015 and 2021, the shift-left approach has not been well adopted. Twenty-five percent of organizations are using a shift-left security strategy, according to the study, despite the growing industry awareness of its importance. The research showed that security remains a lower priority for many organizations — almost 50% do not dedicate a step for security validation, 20% don’t plan their application security and 4% don’t have a dedicated security implementation step. Yet the benefits of making the shift are well proven: nine in 10 of those that have adopted a shift-left approach have realized reductions in vulnerabilities.