Application Security Responsibility Shifting Further Left
A GitLab survey of more 5,500 DevOps professionals (including roughly 700 application security professionals) found 57% of those security respondents reported that responsibility for security has either already or soon will shift left toward developers.
However, 43% of respondents said they still have full ownership of security, with another third reporting they are at least thinking about shifting responsibility for security further left within the next two years. More than half of the respondents (53%) said everyone was responsible for security, with 35% reporting they are both more involved in daily hands-on tasks.
However, 43% also noted they are either “somewhat” or “very” unprepared for the future.
The trouble with application security often comes down to roles and responsibilities within organizations. Budget dollars allocated to cybersecurity teams are generally allocated to platforms they directly manage. The teams often assume that developers are assuming responsibility for the integrity of applications as they are being developed.
Of course, developers don’t typically have a lot of cybersecurity expertise. Security was usually an elective that most developers did not take. In fact, developers generally assume a cybersecurity team is going to protect their applications. Their role is generally limited to patching vulnerabilities identified by security teams. Of course, there’s generally a lot of disagreement over how severely a vulnerability might impact an application based on the way it was either developed or configured.
Brendan O’Leary, staff developer evangelist for GitLab, said the survey makes it clear that while there is still a lot of work to be done in terms of securing software supply chains using DevSecOps best practices, progress is being made. One of the immediate challenges organizations of all sizes face is finding a way to revamp their toolchains to put more security tools in the hands of developers.
Just over half of respondents (55%) reported they are using static application security testing (SAST) and dynamic application security testing (DAST) tools. However, less than a third (30%) have lightweight SAST scanners integrated into a web-based integrated development environment (IDE). The survey also found only 29% of respondents pulled scan results into a web pipeline report for developers or made container and dependency scans from DAST tools easily available to developers. On the plus side, the survey found roughly 60% of respondents are scanning containers.
Even in the wake of a series of high-profile breaches, there is not a lot more focus on application security. However, in addition to technical issues involving tools, there is a longstanding cultural divide that needs to be bridged. Cybersecurity teams don’t have a lot of confidence in the ability of developers to address application security issues. Developers, meanwhile, tend to view cybersecurity reviews more as an obstacle to be overcome rather than an intrinsic element of any quality assurance process.
One way or another, collaboration between developers and cybersecurity teams needs to improve. The onus is clearly on cybersecurity professionals to find a way to teach development teams what flaws to address because the same vulnerabilities keep showing up in multiple applications. Developers don’t typically set out to build an insecure application; it’s just that in the absence of any meaningful training and much-needed improvements to workflows, the same mistakes are destined to be repeated.
