The findings reaffirm the importance of shifting security left in the development process, enabling development teams with ongoing training as well as tooling solutions that complement their current processes so they can code securely without negatively impacting their velocity.
Despite the best of intentions among security and development teams, finding common ground can be a real challenge. Both sides are driven by different—and often competing—metrics, making alignment even harder. Add the fact that most security teams lack an understanding of modern application development practices, including the move to microservices-driven architectures and the use of containers, and the gap between teams widens still further.
To determine the size of this gap, and the extent to which security teams understand modern development and deployment practices, Synopsys commissioned Enterprise Strategy Group (ESG), a leading IT analyst and research organization, to document insights into the dynamics between development teams and cybersecurity teams with respect to deployment and management of AppSec solutions.
Based on a survey of 378 qualified respondents in cybersecurity and application development, representing several industries, including manufacturing, financial services, construction/engineering, and business services, throughout the United States and Canada, the study underscores the need to address AppSec holistically throughout the development life cycle.
For example, among organizations knowingly pushing vulnerable code into production, 45% do so because the vulnerabilities identified were discovered too late in the cycle to resolve them in time. Additionally, 43% of respondents say integrations complementing high-velocity application development are most important to improving security programs.
But more tools aren’t the answer. Seventy-two percent of respondents already use more than 10 tools, increasing the complexity, time, resources, and effort of gaining actionable intelligence from them. The proliferation of tools is driving many organizations to invest in consolidation as they struggle to integrate and manage the number of tools they’re already using.
These findings reaffirm the importance of shifting security left in the development process, enabling development teams with ongoing training as well as tooling solutions that complement their current processes so they can code securely without negatively impacting their velocity.
Key insights of the ESG study
- Most organizations believe their application security program is effective, though many still push vulnerable applications into production. Sixty-nine percent of survey respondents rate the efficacy of their current program as an 8 or higher on a scale of 1-10 (with 10 being the most effective). However, as nearly half of organizations knowingly push vulnerable code on a regular basis, most (60%) have experienced production application exploits involving OWASP Top 10 vulnerabilities in the past 12 months.
- DevOps integration is a critical element for improvement. Over a quarter (26%) of respondents note a difficulty or lack of integration between different application security vendor tools as the most common challenge. Twenty-six percent also say that their current application security tools add friction and slow down development cycles. Nearly a quarter (23%) of respondents identify poor integration with development/DevOps tools as a common challenge.
- Developers play an important role in application security, but they lack the skills and training. Nearly one-third (29%) of respondents express that developers within their organization lack the knowledge to mitigate issues identified by their current application security tools. While only 17% say that their developers utilize just-in-time training available within their security tools. And only 29% of developers are required to participate in training at least once per quarter.
- Organizations are planning to increase application security spending. Over half (51%) of respondents plan to increase application security spending significantly in the next year. Forty-four percent plan to target application security investments toward cloud.
- AppSec tool proliferation is driving many organizations to invest in consolidation. Many organizations are struggling to integrate and manage the number of tools in place, often leading to a reduction in the effectiveness of their security program while also directing an inordinate amount of resources to manage them. With 72% utilizing more than ten tools, complexity becomes a key issue. Due to this, over a third are focusing investments on consolidation.
To learn more, download the e-book, “Modern Application Development Security.”
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Patrick Carey. Read the original post at: https://www.synopsys.com/blogs/software-security/new-devsecops-study-highlights-need-address-appsec-throughout-sdlc/