Checkmarx Report: Tackling Software Exposure in the DevOps Cycle

Today, in an effort to better understand the evolving nature of software delivery and the role security plays, we released a new report, “Managing Software Exposure: Time to Fully Embed Security into Your Application Lifecycle,”which we commissioned with FreeForm Dynamics in coordination with The Register. The report aggregates input from 183 respondents worldwide, the majority of whom hold software development, IT and security professional titles, and outlines the biggest barriers to securing software today within the DevOps cycle.

Among some key findings from the report:

A software security gap exists. While there are no silver bullets for dealing with today’s software security needs, our study finds a big gap has emerged between what’s needed and what’s actually in place. In fact, 96 percent of respondents reported it is “desirable” or “highly desirable” for developers to be properly trained on how to produce secure code, but 41 percent still agree that defining clear ownership and responsibility in relation to software security remains a big challenge. Traditionally, operations teams were responsible for software security, but as more organizations move to a DevOps methodology, it’s become imperative for developers to build security into all new software applications. The reason why this still isn’t the case for some organizations? According to our study, just 11 percent of respondents say they have adequately addressed the need for developer education in this area.

Software security is a conversation for the boardroom. The first step to strengthening the way security gets incorporated into the software delivery cycle is to get senior management involved. 57 percent of respondents strongly agree or agree with the statement that software security is now a boardroom issue. Yet, according to respondents, 45 percent find it challenging to get senior management to approve funding for security training. It’s clear there is work to be done on educating and motivating senior management to think about software security as a matter of business risk.

Stronger collaboration is needed. Historically, there has been a culture of inefficiency and miscommunication between developers and operations teams, and even though DevOps culture removes many of the barriers between these two departments, 72 percent of respondents still agree that different teams and disciplines within IT are still too often reluctant to trust each other.

The reality is that in order to prevent potential software exposure throughout the software development lifecycle, we must first tackle the issue of ownership and responsibility, bringing together employees of diverse skill levels and backgrounds to help inspire more mutual trust and respect.

To take a look at the full report and more key findings, download it here. If you’re interested in learning more about how software exposure is transforming software security, visit

The following two tabs change content below.

Maty Siman

Founder and CTO at Checkmarx
Maty has been active in the IT industry for the past 12 years and has experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager.

*** This is a Security Bloggers Network syndicated blog from Blog – Checkmarx authored by Maty Siman. Read the original post at: