A majority of developers feel forced to sacrifice security for the speed that today’s development cycles require. A recent report from WhiteSource found 73% of security teams at organizations are forced to cut corners, and the AppSec tools they use are to check the box towards DevSecOps improvements and are not effectively used.
“There are a lot of advantages to the proliferation of automated tools throughout the DevSecOps pipeline. However, managing and orchestrating all of them has also become a process in itself, that can take up a lot of time, and also create further friction between teams using a variety of different tools,” David Habusha, vice president of product at WhiteSource, told SD Times.
According to the report, tools at an organization are sometimes chosen without much input from developers and can become difficult to adapt and integrate into their workflows. In fact, ease of integration was rated as the most important feature in an AppSec solution by developers. There is also some disconnect between the security teams and developers on what features are most important in an AppSec solution.
Developers’ adoption received a very low priority from security professionals, while security needs such as detection and ease of implementation took priority in their considerations.
One way the report suggests bridging this divide is to create an AppSec champion that helps teams develop the right skills, prioritization methods, and effective communication. About 40-60% of organizations stated they have an AppSec champion, which can nearly double the chance to reach an agreement by a standardized process, according to the report.
With AppSec adoption still relatively new at many organizations, there is still a significant AppSec knowledge and skills gap that is being neglected by organizations, according to the WhiteSource DevSecOps Insights Report.
As teams are required to address a growing list of urgent security alerts with these new tools, prioritization of which security issues need to be resolved first becomes more important.
“Figuring out what to remediate first, or how to prioritize, has become a time-consuming and often contentious task that might delay the quick remediation of the most critical and time-sensitive issues,” Habusha added.
Sixty percent of security professionals stated they have had an AppSec program in place for at least a year, and only 37% developers surveyed reported that they were not aware of an AppSec program running for longer than a year inside their organization. Additionally, 60% of developers stated that they have no secure code training.
“Improving developer’s AppSec skills is as wide an investment as purchasing AppSec tools. It boosts shift-left practices and helps bridge the divide between security and development teams,” the report stated.
The report concluded that there is a clear correlation between perceived maturity level and higher usage of AppSec tools. DAST, SCA, IAST, containers, and RASP were found to be used at least twice as much in mature organizations compared to immature ones.
The two highest reasons for purchasing new application security tools were for meeting industry-specific regulations, at 25%, and for compliance with industry standards, at 22%.
“While many of the issues we see as challenges today are on their way to being resolved, DevSecOps is an exciting ecosystem that’s constantly evolving. While DevSecOps maturity is just around the corner for many organizations and it may become ubiquitous for them, there will always be new challenges to face when it comes to addressing security risks and ensuring an agile DevSecOps pipeline,” Habusha said. “The organizations that invest in establishing a culture of open communication, shared responsibility, and continuous quality and security automation throughout the DevSecOps pipeline, will be the ones that are able to face these challenges head-on.”