Despite the importance of software security and the advancements made to protect applications, developers are still having a hard time developing secure solutions. A new study from Veracode shows while developers’ top concerns are cyberattacks and data breaches, security testing imposes a risk to their development and deadlines.
“Development teams face an onslaught of challenges from every direction as software development cycles accelerate and the responsibility for meeting operational requirements ‘shifts left’ to developers. Add to this the growing importance of application security (AppSec) and an increased pressure on organizations to comply with regulations and reduce business risk from the ever-present threat of cyberattacks,” according to Veracode’s Secure Development Survey.
The report surveyed developers and development managers from the U.S, U.K. and Germany. More than half of the respondents revealed security testing slowed down their development and deadlines while 24% of developers reported that the development team didn’t have authority over security. A majority of respondents revealed they handled security as a separate team outside of development while others said the responsibility was shared between another team, the security team reports to the development team and/or they outsource app security.
“As developers and development managers, your role in application security continues to expand and increase in value,” the report states. “As developers and development managers, your role in application security continues to expand and increase in value.”
The report also revealed while 40% respondents integrate app security at the programming stage of the lifecycle, bringing it earlier in the lifecycle can help reduce costs. According to the report, integrating security at the requirements stage or earlier cuts development cycle costs significantly.
Businesses are also using continuous delivery, web application firewalls and multi-tiered approaches to address security.
“In an age where continuous deployment and frequent innovation is critical to the success of business, it is unacceptable for security testing to hinder development efforts,” said Tim Jarrett, director of security at Veracode. “As DevOps environments become a standard method of developing software, the industry has an opportunity to continuously improve the way it integrates security into the development process.”
Other challenges the report revealed included: an increase of complexity from legacy app security processes; complicated development environments with a variety of languages and platforms; and various security standards and policies across the business.
When asked what vulnerabilities scared developers the most, they revealed sensitive data exposure, broken authentication and session management, missing function-level access control, cross-site scripting and injection as top concerns.