While software developers are showing signs of high apprehension when it comes to the security of their software, their organizations however have considerable work ahead of them getting developers the tools they need to succeed.
Consider the recent study from WhiteHat Security, which found that 75%, when it comes to their application security, a startling 75% of developers are concerned. And while 85% said that security was very important to the development process — the survey found organizations aren’t necessarily treating the function as being important.
For starters, nearly half of respondents said they lack a dedicated cybersecurity expert. Disappointingly, but certainly heard often, 43% of respondents said they are more focused on hitting release deadlines than security. And while 57% of respondents said they realize that application security should be a critical part of the software development lifecycle, and try to prioritize security practices over deadlines, many say that they often turn to shortcuts when facing delivery pressure.
The relentless push to meet deadlines has taken its toll. More than half of WhiteHat Security’s survey respondents said that they have experienced burnout due to intense pressures to deliver applications on time — and securely. Burnout has proven to be a challenge throughout cybersecurity.
It’s also not always a matter have not having the right tools in place. The WhiteHat survey found that 57% of respondents believe that they gave the application security tools they need to integrate security processes into their software development lifecycle. Only 14% said they lacked the right tools. Disappointingly about 33% of respondents reported being unsure what their organizations provided and perhaps they ‘d be best placed among organizations that don’t have the right tools, after all, if they did they’d likely know about them.
Among those survey participants who said they do use software security products, 14% said they don’t have the proper tools to integrate security into the software development lifecycle 33% scan for vulnerabilities each day, 29% do so each week, and 20% said once a month. While about 80% scan monthly for vulnerabilities, about 20% are scanning randomly, each three months, or whenever the mood strikes them.
Interestingly, 70% of developers reported that they have not earned security certifications in their current or previous positions. And while programing skills and secure software development practices are foundational, developers are increasingly citing soft skills as essential. According to the survey, 49% said teamwork and interpersonal skills are the most essential soft skills. At 34%, problem solving followed next.
Software security remains an intractable issue. As we previously wrote, there are intractable challenges when it comes to software security and DevSecOps. Consider the penetration of DevSecOps in company native cloud efforts: a recent study from Enterprise Strategy Group found only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices today. Still, that survey found those companies employing DevSecOps practices should jump from that paltry 8% to 68% of companies that are securing 75% or more of their cloud-native applications with DevSecOps practices in two years. Of course, that’s likely wishful thinking.
Still, the WhiteHat survey painted a gloomier picture than other recent surveys. According to a survey from software security firm Synopsys, which also found the need for development speed hindered security efforts, 92% of its respondents said that their organizations have a dedicated application security team and only 8% said that they don’t have any formal application security program in place.
Additional promising news from the Synopsys survey nearly 90% of respondents have developer security training programs in place. “That’s a sign that more organizations are accepting awareness training as an effective way to create a corporate culture of security,” that report found.
It’s hard to think of a more important task, than developing secure software, when it comes to enabling organizations to be able to defend their business-technology systems. It’s much easier to protect enterprise systems when the software it built upon is itself resilient from attack. With attackers growing in sophistication, and the speed of business and software development accelerates the need for secure software development awareness, training, and practice is increasing.