The answer is obvious, but apparently about half of the professional respondents in a recent study did exactly that, mainly Organizations to deploy AppSec Tool.
A recent survey of application development professionals has found that nearly half (48%) of survey respondents consciously pushed vulnerable code to production due to time pressures. The study also identifies 43% who found that integrations complementing high-velocity application development to be the most important factor in improving application security programs.
An e-book based on the survey, conducted by IT-research firm Enterprise Strategy Group and commissioned by Synopsys, Inc., has also been released, highlighting the extent to which security teams understand modern development and deployment practices, and where security controls are required to lower risk.
Said Dave Gruber, Senior ESG Analyst: “DevSecOps has moved security front and center in the world of modern development; however, security and development teams are driven by different metrics, making objective alignment challenging. This is further exacerbated by the fact that most security teams lack an understanding of modern application development practices. The move to microservices-driven architectures and the use of containers and serverless architectures has shifted the dynamics of how developers build, test, and deploy code.”
Addressing application security holistically
ESG surveyed 378 qualified cybersecurity professionals with insight into and responsibility for security application development technologies, and application development professionals involved with securing development tools and processes. The survey respondents worked at organizations in multiple industry verticals including manufacturing, financial services, construction/engineering, and business services, among others throughout the United States and Canada.
According to Patrick Carey, Director of Product Marketing, Synopsys Software Integrity Group: “The key insights identified within this study underscore the fact that organizations need to address application security holistically throughout the development life cycle. Of the organizations consciously pushing vulnerable code into production, 45% (did) so because the vulnerabilities identified were discovered too late in the cycle to resolve in time. This reaffirms the importance of shifting security left in the development process, enabling development teams with ongoing training as well as tooling solutions that complement their current processes so that they may code securely without negatively impacting their velocity.”
Key insights from the study include:
- Most organizations believed their application security program was effective, though many still pushed vulnerable applications into production.
69% of survey respondents rated the efficacy of their current program as an 8 or higher on a scale of 0 to 10 (with 10 being the most effective). However, nearly half of organizations consciously pushed vulnerable code on a regular basis, and most had experienced production application exploits involving OWASP Top 10 vulnerabilities in the past 12 months.
- DevOps integration is a critical element for improvement.
More than one-quarter of respondents said that their current application security tools (AppSec Tool) added friction and slowed down development cycles, while 23% identified poor integration with development/DevOps tools as a common challenge. Additionally, 26% of respondents noted a difficulty with or lack of integration between different application security vendor tools as a common application security challenge.
- Developers play an important role in application security, but they lack the skills and training.
Nearly one-third (29%) of respondents expressed that developers within their organization lacked the knowledge to mitigate issues identified by their current application security tools (AppSec Tool). Furthermore only 17% said that their developers utilized just-in-time training available within their security tools and just 29% were required to participate in training at least once per quarter.
- Organizations are planning to increase application security spending.
More than half (51%) of respondents reported plans for significant increases in application security spending over the next 12 months. About 44% planned to target application security investments toward the Cloud.
Finally, the research indicated that AppSec tool proliferation is driving many organizations to invest in consolidation. Many organizations were struggling to integrate and manage the number of tools in place, often leading to a reduction in the effectiveness of their security program while also directing an inordinate amount of resources to manage them.
With 70% utilizing more than 10 tools, complexity became a key issue, and as a result, more than a third were focusing investments on consolidation.