92 percent of organizations struggle to implement security into the entire DevOps process despite most saying they want to do so — a staggering capability gap exposed in the new, global data report from FreeForm Dynamics in collaboration with The Register called “Managing Software Exposure: Time to Fully Embed Security into Your Application Lifecycle.” Commissioned by Checkmarx, the study spotlights the biggest barriers to securing software today depending on where organizations sit on the DevOps maturity curve.
Report findings are based on online survey input from 183 respondents worldwide, the majority of whom hold software development, IT and security professional titles ranging in seniority from management to specialists and in-between, and coming from a wide range of industry sectors.
“Today, software is everywhere and the majority of respondents agree that it is integral to most business initiatives, yet there are still many gaps when it comes to securing that software,” said Maty Siman, Checkmarx founder and CTO. “Increased software complexity and the need to move at the speed of DevOps is creating a new type of risk in the form of software exposure, and as the results of this report attest, software security also needs to change.”
Other key findings include:
Gaps exist between theory and practice when it comes to security’s place in DevOps
96 percent of respondents report it is “desirable” or “highly desirable” for developers to be properly trained on how to produce secure code. As developers take responsibility for the security of their software, more respondents believe it is more important to educate developers and empower them than it is to educate other stakeholders in the organization like ops specialists and security specialists. But 41 percent agree that defining clear ownership and responsibility in relation to software security remains a big challenge, and just 11 percent say they have adequately addressed the need for developer education.
“More respondents say they believe it is more important to educate developers and empower them than put proper processes in place,” Siman said. “This is interesting, as most organizations today are actually doing the opposite. They focus more on processes like break build as well as one-off activities such as pen testing, rather than investing in securing their entire DevOps processes.”
Software security is a boardroom-level discussion, and it needs to be treated as such
57 percent of respondents strongly agree or agree with the statement that software security is now a boardroom issue. It’s a matter of business risk. In order to ensure better software security, developers and security teams need support from their executive teams, but 45 percent find it challenging to get senior management to approve funding for security training. 44 percent say executives don’t care about how quickly, frequently and safely developers deliver software, they just want them to do it.
Developers, testers, security specialists and ops staff need to work together
Although more than half of respondents do not have adequate code scanning solutions to flag potential security exposure early on, solutions are not the only thing needed to drive improvement. The majority say the way we fundamentally approach software security requires a rethink based on modern architectures and delivery approaches. The human factor poses both an opportunity and a challenge. Nearly 100 percent agree that developers, testers, security specialists and ops staff need to work together. Yet, 72 percent of respondents agree that different teams and disciplines within IT are still too often reluctant to trust each other.