Concerns surface about resource constraints, information sharing, and buck-passing in the workplace
Many software developers working for large organizations admit to releasing applications they know to be insecure, a new report has revealed.
According to findings published today (May 13) by Osterman Research, 81% of developers who took part in the study made this admission, with those occupying senior roles the worst offenders.
Survey respondents who described their roles as ‘head of DevOps’ or ‘development manager’ were more than twice as likely as front-line development teams to knowingly committing insecure code ‘often’ – 20% for the former versus 9%
They were also less likely to say they ‘never’ released insecure code (20% and 18%, compared to 27% of developers).
Sean Wright, principal application security engineer at Immersive Labs, which sponsored the report, lamented the widespread misconception among developers that security teams are solely responsible for, and capable of, preventing or mitigating all risks.
He told The Daily Swig: “I think that developers are under enormous pressure to deliver new features.
“When this is combined with a general lack of awareness of the potential risk and implications, they likely determine the risk is worth it.”
Wright added that senior developers might also be more inclined to feel “they have the experience to make that judgment call” than their more junior colleagues.
READ MORE Software supply chain attacks – everything you need to know
Perhaps unsurprisingly, then, only 61% of developers and 44% of security pros polled thought their application build environment was secure enough to withstand a dedicated attack like the devastating, nation state-backed exploitation of SolarWinds vulnerabilities earlier this year.
Although security and development teams mostly endorse ‘shifting left’ – whereby security is embedded throughout the development process from the very start – many believe the trend is hindered by resource constraints.
Asked when security should be incorporated into the Software Development Lifecycle (SDLC), both developers and security pros most frequently said the earliest possible stage, known as ‘requirements analysis’ – 29% and 36% respectively.
Catch up on the latest secure software development news
However, only 45% of front-line developers felt they had enough time to learn how to create secure applications – while 40% of security respondents admitted they lacked a comprehensive understanding of the SDLC.
Similarly, modest proportions of security workers believed their team had sufficient time and resources to support shift left (39%), help development teams secure applications (44%), and address prioritized vulnerabilities (50%).
‘Outdated and insufficient’
When it comes to application security threat intelligence, significantly fewer front-line developers and security staff said they had access to such information compared to their senior counterparts.
The gap was particularly wide for developers, with twice the number of senior DevOps staff (63%) saying they had timely access to security information than their more junior colleagues (36%).
Curiously, however, 76% of developers said they received threat information from the security team on a daily or weekly basis.
Meanwhile, more than half of security pros said application security training was provided to engineering and development teams daily, weekly, or monthly.
Nevertheless, the report claims that “the techniques and approaches currently used for sharing information, education, and training are outdated and insufficient”.
A collective effort
Front-line developers were also much less likely than their more senior colleagues to view application security as a critical part of their responsibilities (27% versus 80%) and to claim they understood the latest security threats (64% versus 80% for DevOps leads).
Sean Wright of Immersive Labs said organizations must “foster a security culture and make sure that everyone in the organization understands that they all have a part to play when it comes to security”.
He also called for improved awareness of security vulnerabilities, “regular crisis exercises”, a “move away from alert boxes”, and attempts to foster understanding among developers and security professionals of the “frustrations” faced by each other’s teams.
The findings were based on a poll of 260 developers and security staff at US and UK organizations with an average workforce size of 14,000.
YOU MIGHT ALSO LIKE Ill-advised research on Linux kernel lands computer scientists in hot water