Security Compass has published the results of a research study examining developer views on application security, including the challenges and opportunities they face in their secure development efforts.
In order for software developers and security teams to effectively collaborate and ensure that a company’s software products are secure, developers need automated, current, relevant, and actionable JITT training embedded into their development tools and processes.
The research found that while most developers believe their enterprise has a mature security posture, almost half find it challenging to stay up to date with current security and compliance-related activities.
Developer views on application security
- The number one most important means to thwarting security threats according to developers is automated threat modeling (46% claiming it was “mission critical” and another 36% indicating it was “quite important”).
- 42% of developers who have been assigned requirements related to security and compliance find it challenging to stay up to date with current security and compliance-related activities.
- 28% of respondents claim that scope “creep” in security compounds challenges, with another 19% believing that security processes take too much time.
- Overall, developers are in favor of security training, with 32% of developers opting to pursue training on their own (63% of respondents reported being mandated to do training).
- Developers from smaller companies ($10M to $100M) were more than twice as likely (31% vs. 14%) as those from the largest companies ($5B+) to use ad hoc or reactive means to “gate-keep” releases from a security perspective.
- On average, 34% of software requirements are related in some way to security and compliance, yet only 25% of companies have shifted security left into the Design Stage of software development.
“When building secure software, developers must be system thinkers. Ideally, they engage secure methods early in the design process, engage with key security personnel and stakeholders and insist on automated cybersecurity tools that efficiently guide them throughout the SDLC,” said Rohit Sethi, CEO of Security Compass.
“Software built with the needs of software developers at the forefront is essential to the task of cybersecurity, and companies that want to attract and support developers in their efforts to build cyber-resilient software need to look to integrated cybersecurity software. This is reinforced by Security Compass’ study that software that provides just-in-time training (JITT) and guidelines for software developers is essential for accomplishing these goals.”
Help Net Security
Mirko Zorz
August 30, 2022