As organizations continue to adopt DevSecOps, a methodology that shifts security measures to the beginning of the software development lifecycle (SDLC), roles and processes are evolving. Developers are expected to take on increased security measures – such as application security (AppSec) scans, flaw remediation, and secure coding – and security professionals are expected to take on more of a security oversight role.
Developers are taking the necessary steps to adapt to their evolving role and embrace security measures, but they’re often at odds with their other priorities, like rapid deployments. Since developers and security professionals’ priorities are frequently misaligned, it can lead to organizational challenges and security gaps.
Veracode recently sponsored Enterprise Strategy Group’s (ESG) survey of 378 developers and security professionals in North America to better understand the dynamics between these teams and to understand their application security challenges and priorities.
The report highlights five key insights:
1. Most think their application security programs are solid, though many still push vulnerable code.
Respondents were asked to rate the efficacy of their organization’s AppSec program on a scale of zero to 10, zero being “we continually have security issues,” and 10 being “we feel confident in the efficacy and efficiency of our program.” Two-thirds of the organizations surveyed rated their programs as an eight or higher. And, better yet, two-thirds are using their AppSec scans on more than half their codebase.
Despite having a solid AppSec program and leveraging scans, 81 percent of organizations are still experiencing exploits. Why? The research revealed that 48 percent of organizations regularly release vulnerable code to production when they’re under a time crunch. By pushing vulnerable code to production, organizations are putting their applications at risk for a breach.
2. Multiple security testing tools are needed to secure the potpourri of application development and deployment models in use today.
There is no single AppSec testing type that is able to identify every vulnerability. Each testing type has its strengths and cautions. For example, if you only use static analysis, you won’t be able to uncover open source flaws, business logic flaws, or configuration errors. If you only use software composition analysis, you will only identify third-party flaws.
The findings showed that most organizations do employ a mix of testing types. However, there are some gaps. For example, only 38 percent of organizations use software composition analysis. Unless those organizations are using penetration testing, they are likely not testing for third-party vulnerabilities.
3. Developer security training is spotty, and programs to improve developer security skills are lacking.
The survey uncovered that 50 percent of organizations only provide developers with security training once a year or less. Not surprisingly, the survey also uncovered that developers’ top challenge is the ability to mitigate code issues. The only way for developers to improve their knowledge of code vulnerabilities is through security training or programs, like Veracode Security Labs, or AppSec solutions that give developers real-time security feedback as they are coding, like Veracode’s IDE Scan.
4. The proliferation of AppSec testing tools is an issue for many, with more than a third focusing investments on consolidation.
Over 30 percent of organizations are overwhelmed by the amount of AppSec tools currently used across their development teams. They spend too much time managing the tools and processes, which takes away from the effectiveness of their AppSec program. As a result, these organizations are planning future investments to consolidate their tools and processes.
5. Organizations are investing, with more than half planning to significantly increase spending on application security.
When asked about their future application security investments, more than half of the respondents stated that they plan to increase their AppSec spending. The majority are planning to use their investment in the cloud, consolidating AppSec tools, or expanding their use of testing tools.
To read the rest of the findings, download the full report, Modern Application Development Security.