We recently conducted a survey of developers and development managers to find out what’s on their minds and how their concerns compare to those of application security teams. The results contain some surprises.
What’s not surprising is that development teams are feeling pressured to meet productivity goals, while still meeting requirements for quality and stability. Add to that the growing threat of cyberattacks, and penalties – both legal and market-based – for companies that suffer from a breach, and developers are feeling squeezed from all sides. In this pressure cooker environment, AppSec is suffering, with more than 60 percent of applications failing OWASP top 10 policy on initial assessment, according to Veracode’s State of Software Security 2016.
With that in mind, here are the top takeaways from the Veracode Secure Development Survey.
Over the years, developers have been stereotyped as caring mainly about features, with little regard for security. That may be changing. Veracode’s survey asked a sample of 350 developers and 150 development managers to rank their top challenges and concerns. Preventing data breaches and cyberattacks was rated the number one concern by 37 percent of developers. By contrast, only 23 percent of developers said meeting customer or regulatory compliance was their top challenge or concern, while 21 percent said meeting budget and delivery schedules, and 19.4 percent said delivering secure code to pass internal audits.
Perhaps as a result of this shifting mindset about security, more developers are testing the security of their code at the programming stage (40 percent) than any other stage of the software lifecycle. Another 21 percent of developers said they incorporate security testing at the design stage. Research by the National Institute of Standards and Technology has found that securing applications at later stages increases the cost of fixing defects by orders of magnitude: fixing defects in production is 30 times more expensive than doing so in architecture/requirements.
Developers are still dealing with security programs that impede their development efforts – 52 percent of developers feel application security testing often delays development and threatens deadlines. And, fewer than 25 percent of developers feel they have authority over decisions regarding application security. There were some regional differences between respondents in our survey. Developers in the U.S. identified security delaying development as a challenge (56 percent) more often than their counterparts in the UK and Germany (46 percent).
More than half of developers identified sensitive data exposure as a vulnerability they are concerned about (53 percent) – more than any other vulnerability cited in the survey. No other vulnerability was cited by a majority of developers as a top concern. According to Veracode analysis in the State of Software Security 2016, 65 percent of applications have cryptographic issues and 41 percent have credentials management vulnerabilities, showing that developers’ concerns about sensitive data exposure are well-placed. However, less than a third of developers (28.5 percent) cite using components with known vulnerabilities as a major concern, despite the high prevalence of vulnerabilities in open source components. For example, Veracode analysis found that 97 percent of Java applications had at least one component with a known vulnerability.
Although nearly a quarter of developers say their teams don’t have authority over application security (24 percent), 22 percent of development organizations now share responsibility for AppSec with another team, and the security team reports to development in 16 percent of organizations. This indicates that more organizations are shifting to DevOps, with development, security and operations working in integrated teams.
Download the complete Veracode Secure Development Survey to find out more about what developers and development managers are saying about their top application security challenges and concerns.