Study highlights need to address AppSec throughout the SDLC
Companies are gaining competitive advantage by leveraging DevOps principles, a cultural philosophy of software development that enables companies to design products and applications faster in a collaborative environment. A key leverage of DevOps is collaborative development underpinned by systems, processes and methodologies including automation, tooling and know-how.
As opposed to traditional systems and practices where software development and operations were executed in silos, DevOps brings in teams to work together from development to testing and deployment. While working in an integrated environment enables closer collaboration and faster processes it does not always result in the most secure output as DevOps enablement is underlined by organizational need for speedto achieve business objectives and security is compromised without vulnerability checks in place. Worse, when a security risk is discovered later in the development process or after release, it takes that much more time and effort to address.
To overcome this gap, DevOps practitioners added another dimension to this process known as DevSecOps—a methodology designed to add security as an integral part of development processes which significantly enhances organizational ability to build security capabilities.
Yet DevSecOps is still in its infancy and there is lack of understanding amongst DevOps practitioners as DevOps and security teams have conflicting metrics—one seeks to achieve speed and agility while security testing calls for rigor which is often time consuming.
A recent study by Enterprise Strategy Group (ESG), a leading IT analyst and research organization, inquired into the dynamics between development and cybersecurity teams with respect to deployment and management of AppSec solutions. The report which underscored the need for holistic integration of AppSec throughout the development cycle is based on a survey of 378 qualified respondents in cybersecurity and application development, across industries including manufacturing, financial services, construction/engineering and business services in the United States and Canada.
Key findings of the study include:
- Organizations knowingly ship vulnerable code into production with 45% of respondents doing so because identified vulnerabilities were discovered too late in the cycle. Worse, about 60% respondents have experienced production application exploits involving the top 10 Open Web Application Security Project (OWASP) vulnerabilities in the past 12 months.
- Interestingly, 26% respondents say the current application security tools add friction and slow down development cycles with nearly a quarter (23%) of the respondents identifying poor integration with DevOps tools as a common challenge. Clearly, DevOps integration is a critical element for improvement with over 26% respondents pointing out difficulty or lack of integration between different application security tools as the most common challenge.
- Developers play an important role in application security, but lack skills and training with 29% respondents recognizing that developers in the organization lack knowledge to mitigate issues identified by the current application security tools. There is lack of initiative at the organizational level with only 29% developers required to participate in training at least once a quarter and only 17% say developers utilize just-in-time training available within the security tools.
- The good news is that organizations will increase application security spending with 51% respondents planning on increased budget in the next year with 44% planning to target application security investments towards cloud.
- Proliferation of AppSec tool is increasing complexity with 72% respondents utilizing more than 10 tools. This is driving organizations to invest in consolidation as many are struggling to integrate and manage tools often leading to reduction in the effectiveness of the security program while also allocating large number of resources to manage them.
DevSecOps is not just a methodology but a business imperative as early detection of security flaws has long-term financial implications. It reduces cost of reworking code; empowers the organization with higher responsiveness as timebetween vulnerability detection and rectification is reduced; and delivers higher customer satisfaction with better quality of code.