The "Modern Application Development Security" eBook is based on a survey of cybersecurity and application development professionals conducted by Enterprise Strategy Group (ESG). It highlights the extent to which security teams understand modern development and deployment practices, and where security controls are required to lower risk.
The study, involving 378 security professionals in Canada and the US, revealed that 48% of survey respondents consciously push vulnerable code to production due to time pressures. It also identified that integrations complementing high velocity application development are most important (43%) to improving application security programs.
What's the problem
Dave Gruber, senior ESG analyst and author of the report, noted that DevSecOps has moved security front and centre in the world of modern development. He also acknowledged that security and development teams are driven by different metrics, making objective alignment challenging.
"This is further exacerbated by the fact that most security teams lack an understanding of modern application development practices. The move to microservices-driven architectures and the use of containers and serverless architectures has shifted the dynamics of how developers build, test, and deploy code," he added.
Commissioned by Synopsys, to goal is to identify the dynamics between development teams and cybersecurity teams with respect to the deployment and management of application security solutions.
"The key insights identified within this study underscore the fact that organisations need to address application security holistically throughout the development life cycle," said Patrick Carey, director of product marketing for the Synopsys Software Integrity Group.
He added that 45% of organisations consciously pushing vulnerable code into production do so because the vulnerabilities identified were discovered too late in the cycle to resolve them in time.
“This reaffirms the importance of shifting security left in the development process, enabling development teams with ongoing training as well as tooling solutions that complement their current processes so that they may code securely without negatively impacting their velocity," he added.
Key insights from the study include:
Sixty-nine per cent of survey respondents rate the efficacy of their current program as an 8 or higher (with 10 being the most effective). However, as nearly half-consciously push vulnerable code on a regular basis, most have experienced production application exploits involving OWASP Top 10 vulnerabilities in the past 12 months.
More than one-quarter of respondents say that their current application security tools add friction and slow down development cycles, while 23% identify poor integration with development/DevOps tools as a common challenge. Additionally, 26% of respondents note a difficulty with or lack of integration between different application security vendor tools as a common application security challenge.
Twenty-nine per cent expressed that developers within their organisation lack the knowledge to mitigate issues identified by their current application security tools. Only 17% say that their developers utilise just-in-time training available within their security tools and just 29% are required to participate in training at least once per quarter.
Fifty-one per cent report plans for significant increases in application security spending over the next 12 months. Forty-four percent plan to target application security investments toward cloud.
Many organisations are struggling to integrate and manage the number of tools in place, often leading to a reduction in the effectiveness of their security program while also directing an inordinate amount of resources to manage them. With 70% utilising more than ten tools, complexity becomes a key issue. As a result, more than a third focus investments on consolidation.