Time pressure contribute to security shortcuts

Study conducted by analyst firm ESG explores security trends and challenges emerging in modern application development.

  • Friday, 7th August 2020 Posted 4 years ago in by Phil Alsop
Synopsys has released the “Modern Application Development Security” eBook. Based on a survey of cybersecurity and application development professionals conducted by Enterprise Strategy Group (ESG), the eBook highlights the extent to which security teams understand modern development and deployment practices, and where security controls are required to lower risk. The study finds that nearly half (48%) of survey respondents consciously push vulnerable code to production due to time pressures. The study also identifies that integrations complementing high velocity application development are most important, according to 43% of respondents, to improving application security programs.

Download a free copy of the “Modern Application Development Security” eBook.

“DevSecOps has moved security front and center in the world of modern development; however, security and development teams are driven by different metrics, making objective alignment challenging.” said Dave Gruber, Senior ESG Analyst. “This is further exacerbated by the fact that most security teams lack an understanding of modern application development practices. The move to microservices-driven architectures and the use of containers and serverless architectures has shifted the dynamics of how developers build, test, and deploy code.”

Synopsys commissioned ESG, a leading IT analyst and research organisation, to document insights into the dynamics between development teams and cybersecurity teams with respect to the deployment and management of application security solutions. ESG surveyed 378 qualified cybersecurity professionals with insight into and responsibility for security application development technologies, and application development professionals involved with securing development tools and processes. The survey respondents work at organisations in multiple industry verticals including manufacturing, financial services, construction/engineering, and business services, among others throughout the United States and Canada.

“The key insights identified within this study underscore the fact that organisations need to address application security holistically throughout the development life cycle.” said Patrick Carey, Director of Product Marketing for the Synopsys Software Integrity Group. “Of the organisations consciously pushing vulnerable code into production, 45% do so because the vulnerabilities identified were discovered too late in the cycle to resolve them in time. This reaffirms the importance of shifting security left in the development process, enabling development teams with ongoing training as well as tooling solutions that complement their current processes so that they may code securely without negatively impacting their velocity.”

Key insights from the study include:

  • Most organisations believe their application security program is effective, though many still push vulnerable applications into production. Sixty-nine percent of survey respondents rate the efficacy of their current program as an 8 or higher on a scale of 0 to 10 (with 10 being the most effective). However, as nearly half of organisations consciously push vulnerable code on a regular basis, most have experienced production application exploits involving OWASP Top 10 vulnerabilities in the past 12 months.
  • DevOps integration is a critical element for improvement. More than one-quarter of respondents say that their current application security tools add friction and slow down development cycles, while 23% identify poor integration with development/DevOps tools as a common challenge. Additionally, 26% of respondents note a difficulty with or lack of integration between different application security vendor tools as a common application security challenge.
  • Developers play an important role in application security, but they lack the skills and training. Nearly one-third (29%) of respondents express that developers within their organisation lack the knowledge to mitigate issues identified by their current application security tools. Furthermore only 17% say that their developers utilize just-in-time training available within their security tools and just 29% are required to participate in training at least once per quarter.
  • Organisations are planning to increase application security spending. More than half (51%) of respondents report plans for significant increases in application security spending over the next 12 months. Forty-four percent plan to target application security investments toward cloud.
  • AppSec tool proliferation is driving many organisations to invest in consolidation. Many organisations are struggling to integrate and manage the number of tools in place, often leading to a reduction in the effectiveness of their security program while also directing an inordinate amount of resources to manage them. With 70% utilising more than ten tools, complexity becomes a key issue, and as a result, more than a third are focusing investments on consolidation.