In today’s fast-paced world, companies are racing to bring new, innovative software to market first. In order to keep up with the speed of innovation, many organizations are shifting toward DevSecOps. DevSecOps brings security to the front of the software development lifecycle (SDLC), allowing for both fast deployments and secure applications.
Even though DevSecOps is able to meet the needs of both developers and security professionals, the teams are laser-focused on their own metrics and objectives, making it a challenge to align. This is further exacerbated by the fact that most security teams lack an understanding of modern application development practices and most developers lack secure code training.
Veracode recently sponsored Enterprise Strategy Group’s (ESG) research on modern developers and security professionals in North America to better understand the dynamic between the roles and to find ways to bridge the gap. The main objectives of the research were to:
- Examine the buying intentions of application security (AppSec) teams and developers regarding application security solutions. Gauge buyer preferences for different types of vendors’ application security solutions.
- Determine the extent to which security teams understand modern development and deployment practices, and where security controls are required to mitigate risk.
- Understand the trigger points influencing application security investments and how decision-makers are prioritizing and timing purchasing decisions.
- Gain insight into the dynamics between development teams and security teams with respect to the deployment and management of application security solutions.
The research shows that AppSec scans are widely used across organizations, and – in most cases – organizations are happy with the current state of their programs. But, the research also supports the misalignment between developers and security professionals, reinforcing the lack of security training for developers and promoting the need for security tools to be further integrated and automated into existing developer processes. Here are some of the key findings:
Most organization believe their AppSec programs are effective.
When asked to rate the efficacy of their organizations’ AppSec program on a scale of zero to 10, zero being ‘we continually have security issues’ and 10 being ‘we feel confident in the efficacy and efficiency of our program,’ 69 percent of organizations rated their programs as an eight or higher. And, not only are organizations pleased with the current state of their AppSec programs, but also a sizeable 71 percent are using their scans on more than half of their codebase. These numbers are reassuring; but, despite AppSec tool usage, 81 percent of organizations are still experiencing exploits.
When digging further, we found one major reason for the exploits … more than 85 percent of respondents admitted to releasing vulnerable code to production due to time constraints. When asked who makes the decision to push code to production, the answer varied from development managers to security professionals, or both.
Developers do not have the tools and training needed to be successful.
Arguably one of the most shocking findings from the research – only 15 percent of organizations reported that all of their development teams are participating in formal security training. And developers’ top challenges were identified as the ability to mitigate code issues and the lack of integration between AppSec tools and vendor tools. Given that developers are involved in the decision to push code live at more than 68 percent of organizations, it’s important that they have the proper training and remediation knowledge.
So why aren’t developers receiving training? At 40 percent of organizations, it’s up to the security team to train the developers. And, since security professionals are a notoriously overworked and understaffed role, finding the time to train developers can be a challenge.
Organizations need to further invest in DevOps.
More than half of organizations integrate their AppSec tools into their DevOps processes. But, 43 percent still feel that they need to further integrate their AppSec into their software development lifecycle. Improving integration makes it easier for developers to keep on top of security, and it helps speed up the development process.
Tools proliferation is a big issue for a third of organizations.
More than 30 percent of organizations are overwhelmed by the amount of AppSec tools currently used across their development teams. Of those organizations, 34 percent are looking to consolidate their tools and processes and 44 percent would like to invest more in SaaS-based AppSec tools.
To learn more about the AppSec challenges developers and security professionals face and ways to unify the roles, check out our recent infosheet: Understanding Modern Software Development.