In my new report, “The State Of Application Security, 2020,” some of the trends are . . . kind of discouraging. Applications remain the most popular attack vector, open source continues to infect everything, and too many industries are not investing in the application security controls they need. But you’re probably tired of reading bad news. I know I am. So in the spirit of John Krasinski’s Some Good News, let’s focus on a bright spot.

Organizations are (slowly) shifting left.

The progress isn’t as fast as I’d like to see, but more organizations are implementing controls like software composition analysis and container security in the design and development phases of the software development lifecycle, rather than waiting for the testing phase. This is a step in the right direction. By integrating security into the development phase, organizations discover and remediate vulnerabilities sooner, and developers will learn how to write secure code from seeing and fixing security issues in real time. Consider what’s more effective: introducing a vulnerability and learning six weeks later from someone else that you’ve done so or being alerted to the problem minutes or hours later and getting to fix it while it’s still fresh in your mind? Developers will appreciate that you put their workflow first.

So . . . in at least one key area, we’re moving in the right direction. Do we need to move faster? Absolutely. Are there other ways in which we’re moving in the wrong direction? Unfortunately, yes. You can check out the full report, “The State Of Application Security, 2020,” for the good, the bad, and the “yikes!” But for just a few minutes, be thankful that organizations continue to march to the left.