Overwhelmed and resource-starved app developers are approving vulnerable code and pushing it into live applications in alarming numbers, according to a new research report.
Equally troubling: 44% of polled security teams said they doubted their application build environment is secure enough to repel a dedicated attacker’s attempt at a compromise, such as the one that SolarWinds experienced last year.
The report, from Immersive Labs and Osterman Research, drew its conclusions from a survey of 260 development and security teams in large organizations. Most development teams, 81%, revealed they had knowingly pushed flawed code live, and 20% senior of managers even admitted to committing this unsafe practice often.
The disappointing survey responses illustrate some of the reasons why President’s Biden’s executive order on cybersecurity is seeking to create remedies for software vulnerabilities.
“The fact that secure software development is given such prominence in the EO in the wake of the Colonial Pipeline attack is a good sign and underlines a growing acceptance of its importance as a risk factor,” said Sean Wright, principal application security engineer at Immersive Labs, in emailed comments. “Unfortunately, our research that just went live today shows there is a lot of hard work ahead to achieve the desired culture of security in software development. With the vast majority of developers admitting to knowingly pushing vulnerable code live, it underlines the fact that security is still not given priority.”
The report exposes several key problems that can impede or introduce risk into the software development lifecycle. For instance, only 39% of security teams said they have ample time and resources to devote to shifting left.
Especially troubling: Immersive Labs spotted a “worrying disconnect” between front-line developers and their managers. Indeed, only 27% of the former group said they agreed that security is among their responsibilities, while 80% of the latter group did.
“If the people writing the code don’t think it’s important, it is hard to make progress,” said Chris Eng, chief research officer at Veracode. “It’s great that 80% of development managers feel some sense of ownership for security, but they clearly aren’t doing a very good job of holding developers accountable.”
Immersive Labs’ findings seem to support previous research efforts that have also highlighted the prevalence of application flaws.
“Veracode’s own research found that 76% of applications contain at least one security vulnerability, and 71% inherit at least one vulnerability from open-source libraries,” Eng continued. “We also know that in about half of all applications, developers are introducing new security flaws faster than they’re fixing existing ones. So it’s not at all surprising that this 81% of development teams in this survey admitted to shipping known vulnerable products.”
Robert Haynes, open source and software composition analysis evangelist at Checkmarx, said that the survey results “just go to show how far we as an industry have to go to make security a foundational component of software quality. Until the security of the products that development teams are producing is seen by everyone as intrinsic to quality of work, we are going to continue to see these kinds of disconnects.”
Haynes continued: If these results seem surprising, ask yourself: How many development teams would be celebrated for halting an urgent build or release in the name of security? If we believe that security is essential to software quality – as we should – we need to learn the lessons of quality-focused manufacturing systems, where behaviors that improve long-term quality and integrity are rewarded, even if this means prioritizing security over speed of production in certain instances.”
But this will require a culture shift. Better tools and training can help accelerate the transformation, said Haynes – especially when they help highlight security issues in an automated and friction-free way. But such services “must also be coupled with companywide buy-in and an authentic change in the way development teams and organizations think about and approach software quality.”