Developers and security analysts are working together on a daily basis to build more secure applications but training is still not a top priority, according to a new survey. Synopsys Inc. published the results of a survey conducted by Enterprise Strategy Group (ESG) in the “Modern Application Development Security” eBook. The survey asked software and security professionals about collaboration, training, and security tools.
Seventy-eight percent of respondents said their security analysts are directly engaged in the software development process with 31% working directly with developers to review individual features and code, 28% working with developers to do threat modeling, and 19% participating in daily scrums.
Most companies require software developers to complete some security training but not on a regular basis:
- Quarterly: 29%
- Annually: 17%
- When hired: 20%
- Just-in-time: 17%
The other issue is that only 15% of respondents said that a majority of developers participate in formal security training.
Dave Gruber, a senior analyst at ESG and the author of the report, said that part of the problem is that security and development teams have different metrics and objectives.
“This is further exacerbated by the fact that most security teams lack an understanding of modern application development practices,” he said in a press release. “The move to microservices-driven architectures and the use of containers and serverless architectures has shifted the dynamics of how developers build, test, and deploy code.”
The survey also found that 48% of respondents push vulnerable code to production due to time pressures and 60% report exploits from some of the OWASP top 10 vulnerabilities. The survey also asked who makes the decision to push code and the responsibility was split between the development team, the security team, or sometimes both:
- Team decision: 28%
- Development manager: 24%
- Security analyst: 21%
Managing multiple tools
Forty-three percent of respondents said they have between 11 and 20 individual application security tools in place. At the same time, 54% said this volume was only a minor problem. Half of the respondents said their companies plan to increase spending on these tools over the next year. The top spending priorities, according to the survey, are securing cloud application development processes (43%) and consolidating tools to simplify the overall process (34%).
Survey respondents listed these issues as the top five challenges with testing tools:
- Limited ability of developers to mitigate the issues identified: 29%
- Lack of integration between application security vendor tools: 26%
- Additional friction to development cycles: 26%
- Limited use of existing security tools by developers: 24%
- Lack of ability to aggregate and deduce findings from various tools: 24%
Synopsys recommends that AppDev security programs include these 10 elements to be the most effective:
- Application security controls are highly integrated into the CI/CD toolchain.
- Application security best practices are formally documented.
- Application security training is included in the development security training program.
- Development managers are responsible for communicating best practices to developers.
- A high percentage of developers participate in formal security training.
- Security issue introduction is tracked for individual Dev teams.
- Formal processes and metrics track continuous improvement of application security.
- Continuous improvement metrics are tracked for individual Dev teams.
- Security issues are tracked during the code development process.
- Automated risk aggregation tools roll up risk to keep senior Dev leaders informed.
Synopsys commissioned ESG to conduct this survey of security and application development professionals in June 2020. ESG surveyed 378 people in manufacturing, financial services, construction/engineering, and business services companies in the US and Canada.