A study commissioned by Synopsys sheds light on the reasons why developers risk security implications with subpar standard code in applications and what organizations can to discourage that practice.
A majority of organizations feel confident on the efficacy of their application security implementations despite the fact that almost half (48%) push vulnerable code to production, a studyOpens a new window by Synopsys reveals. The Modern Application Development Security study underscores multiple reasons that can affect safe implementation of security practices in the DevSecOps cycle.
DevSecOps emerged as a method of standardizing application and infrastructure security right from the early stages of the software development lifecycle. It makes everyone involved accountable to push for greater security, without affecting the pace of development. Dave Gruber, Senior Analyst at ESG said, “DevSecOps has moved security front and center in the world of modern development; however, security and development teams are driven by different metrics, making objective alignment challenging.â€
These metrics pertain to multiple testing tools, complication arising out of prioritization, not to mention time pressures. Gruber adds, “This is further exacerbated by the fact that most security teams lack an understanding of modern application development practices. The move to microservices-driven architectures and the use of containers and serverless architectures has shifted the dynamics of how developers build, test, and deploy code.â€
With 60% production applications having been exploited by OWASP top-10 vulnerabilities in the past 12 months, where exactly is the process going wrong? Let’s find out.
See Also: ShiftLeft Looks to Enhance Developer Engagement & Productivity with New Upgrades
The figure below shows that the decision to push vulnerable code, irrespective of the reason, is taken by the team (28%), by the development manager (21%) and by the security analyst (21%).
So, why do teams push vulnerable code? Why can’t teams effectively test before deployment?
- 26% attributed current application security tools to slow down development cycles.
- 23% say poor DevOps integration while 24% believe underutilization or improper utilization of provided tools.
Moreover, 29% said developers simply lack the skills necessary to mitigate identified issues.
On being asked what level of training they’ve been prescribed, the results are underwhelming
.
Learn More: Security and Speed, Two Opposing Priorities Can Co-Exist in DevOps
It is evident that a comprehensive security approach for software development lifecycle is the need of the hour. Patrick Carey, Director of Product Marketing for the Synopsys Software Integrity Group said, “Of the organizations consciously pushing vulnerable code into production, 45% do so because the vulnerabilities identified were discovered too late in the cycle to resolve them in time. This reaffirms the importance of shifting security left in the development process, enabling development teams with ongoing training as well as tooling solutions that complement their current processes so that they may code securely without negatively impacting their velocity.â€
Fortunately, the report, covering 378 qualified cybersecurity professionals found out that organizations will continue to spend on application security or AppSec.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!