Despite the best of intentions among security and development teams, finding common ground can be a real challenge. Both sides are driven by different—and often competing—metrics, making alignment even harder. Add the fact that most security teams lack an understanding of modern application development practices, including the move to microservices-driven architectures and the use of containers, and the gap between teams widens still further.
To determine the size of this gap and the extent to which security teams understand modern development and deployment practices, Synopsys commissioned Enterprise Strategy Group (ESG), a leading IT analyst and research organization, to document insights into the dynamics between development teams and cybersecurity teams with respect to deployment and management of AppSec solutions.
Based on a survey of 378 qualified respondents in cybersecurity and application development, representing several industries including manufacturing, financial services, construction/ engineering, and business services, throughout the United States and Canada, the study underscores the need to address AppSec holistically throughout the development life cycle.
One of the study’s key findings is that 45% of organizations that knowingly push vulnerable code into production do so because the vulnerabilities were discovered too late in the cycle to resolve in time. Additionally, 43% of respondents say integrations complementing high-velocity development are most important to improving security programs.
These findings reaffirm the importance of shifting security left in the development process, enabling development teams with ongoing training as well as tooling solutions that complement their current processes so they can code securely without negatively impacting their velocity.
Key insights of the ESG study
- Most organizations believe their application security program is effective, though many still push vulnerable applications into production. Sixty-nine percent of survey respondents rate the efficacy of their current program as an eight or higher on a scale of 1-10 (with 10 being the most effective). However, most (60%) have experienced production application exploits involving OWASP Top 10 vulnerabilities in the past 12 months.
- DevOps integration is a critical element for improvement. Over a quarter (26%) of respondents note a difficulty or lack of integration between different application security vendor tools as the most common challenge.
- Developers play an important role in application security, but they lack the skills and training. Nearly one-third (29%) of respondents express that developers within their organization lack the knowledge to mitigate issues identified by their current application security tools.
- Organizations are planning to increase application security spending. Over half (51%) of respondents plan to increase application security spending significantly in the next year.
- AppSec tool proliferation is driving many organizations to invest in consolidation. With 72% of respondents utilizing more than 10 tools, complexity becomes a key issue. Due to this, over a third are focusing investments on consolidation.
To learn more, download the ebook, “Modern Application Development Security.”
Patrick Carey, Director, Product Marketing, Synopsys
Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle. Learn more at www.synopsys.com/software.