Secure Design Is Still Not The Norm
Though general security awareness is at an all-time high, secure design is still not the norm in most organizations. In fact, new research finds that the majority of organizations admit they do not meet all the necessary security reviews before code reaches production environments.
A recent Invicti study on application security found interesting trends around general security awareness and the state of security integration into the software development lifecycle. Below, I’ll review the report for its major takeaways to see how organizations can improve their security footing amid an evolving threat landscape.
Security Awareness Reaches New Heights
In recent months, the emphasis on security has reached a new precedent. The focus on web application security has increased at 86% of companies. Security emphasis has remained unchanged at only 10% of organizations. These findings demonstrate a general build-up of concern throughout the industry around application security. And, with this newfound security awareness, more types of roles are starting to take on the security burden.
The majority of developers and security professionals now view security as a shared responsibility. Out of these respondents, 34% say they share accountability but don’t leverage KPIs related to it. On the other hand, 57% say that both teams share accountability and measure KPIs related to it. Interestingly, only 8% of respondents believed that only the security team was responsible.
These results demonstrate an increase in shared accountability across the board, which is good for the industry as it proves that AppSec principles and awareness are trickling into more workflows. It also proves that many teams are actively engaged in monitoring the state of shared security accountability.
However, as engineers take on new responsibilities, this broader security accountability is affecting developer productivity. Surprisingly, respondents estimated that 51% of a web developer’s time is spent on security issues. 80% now see security processes as at least “somewhat” delaying delivery timelines.
This newfound security accountability is taking a toll on productivity, as addressing security threats takes time and manual effort. For example, 78% of respondents always or frequently perform manual verification of flagged vulnerabilities. Nevertheless, continued investment into security-in-depth training and DevSecOps practices will be necessary to limit the next wave of application security threats. And, as such practices become more well-known, remediation timeframes could be reduced.
Shift-Left Not Fully Adopted In Practice
Though security awareness has reached new highs, in practice, security is still often treated as an afterthought due to the extreme pressures to deliver software rapidly. Surprisingly, 45% of development teams frequently complete projects without carrying out all the necessary security steps. 25% of organizations say they do this all the time. This reality is causing one in three issues under remediation to make it to production without being caught in the testing and development phases.
The OWASP Top 10 list now places insecure design as a leading cause of application vulnerabilities. OWASP describes this new category as “risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures.” If all the boxes aren’t checked with each release, it could cause vulnerabilities that further exacerbate the insecure design pattern issue.
A lack of shift-left adoption could also influence secure design patterns. In practice, only 20% of teams have fully integrated application security testing into the development process. The rest of organizations are split on this matter, either involving security testing closely in coordination with development or treating it as a separate process entirely.
61% of security professionals and developers report scanning all production web applications for vulnerabilities, yet this figure drops to only 28% in pre-launch and a whopping low of 1% for code in development. The lack of security analysis early on could leave bugs undiscovered down the line. Yet, shift-left analysis is not the end-all solution — it should go hand in hand with security testing into active production environments to attain full testing coverage.
Security: A Big Mental Stressor
Under surmounting digital innovation demands, both developers and security teams are under stress to keep pace. And, security is a big added stress. Security is so stressful, in fact, that 73% of DevOps, security, and developers considered quitting their job due to secure-related issues. 78% say stress levels have increased in the past year.
Other reports substantiate this general mood — a separate 2021 survey by AppDynamics similarly found that “81% of respondents experiencing increased frustration and 63% conflicting more with colleagues.”
The stress of security is worsened by the lack of proper tooling to address security issues. A big problem here is the preponderance of false positives — 96% say that false positives are problematic. Constantly addressing false issues can result in burnout and leave actual threats undiscovered. Automation could alleviate the burden, but 60% say they do not have enough automation in place today to test and remediate security issues.
One silver lining is that the rumors of rampant animosity between developers and security staff are largely overstated. When questioned on the relationship between the security team and developers, 41% described it as a family with a shared passion for security where they work as one team. 35% are ‘besties,’ and only 17% are ‘frenemies.’ Certainly, there are holdouts — 7% of developers and security professionals do not collaborate at all.
In Review
Looking to the future, the growing complexity of web applications and the ubiquity of low-code/no-code development tools appear to be top incoming threats. To address security (and the stressors accompanying security), teams will have to fix the inherent insecure-by-design practices that plague the development process.
Doing so without taking more time and effort away from developers is the key. This will likely require more cultural security awareness, resolving false positives to reduce friction, and incorporating better security coverage with more security automation and machine learning.
The Invicti AppSec Indicator Fall 2021 Edition: Security and the Innovation Imperative, commissioned by Invicti and conducted by Wakefield Research, highlights the attitudes of 600 security professionals, security managers, DevOps, and developer roles across a wide range of industries. For more detailed information, you can check out the report here.
