What are the biggest concerns on the minds of application security and developers? As part of the inaugural Secure Coding Summit event, ShiftLeft polled conference participants on a wide range of topics related to application security, supply chain security and the current cybersecurity threat environment. The poll included responses from a diverse array of hundreds of attendees, covering large technology and non-technology companies, government, academia and industry experts. In this post, we’ll cover a few of the questions and comment on the findings. Overall, we found that the movement to shift security left to developers remained a work in progress, with some encouraging results and some room for improvement.
One-Third of Dev Teams Don’t Follow Secure Coding Practices
Securing coding practices are the foundation of any effort to write more secure applications. We asked “How often does your dev team use secure software practices?” The good news? 65% of respondents indicated their teams use secure coding practices most or all of the time. That still leaves a hefty minority of teams that either use secure coding practices only some of the time or almost never. Incomplete adoption of secure coding practices is concerning but understandable — appsec and development teams require sufficient support, training and budgets to implement secure coding practices and those are not always available.
DevSecOps Adoption Is Work in Progress
While DevSecOps may be widely discussed, it remains in the early stages of adoption. We asked “How mature is your DevSecOps practice?” Over half have at least basic DevSecOps, but 41.7% are still in the learn-research phase or have no DevSecOps. The upshot? Lots of noise around DevSecOps but it’s still not widespread or a top priority for development teams.
Developer Education Remains the Biggest Barrier to Secure Code
Nearly one-third of respondents reported that all their developers have received training in secure software development. That said, lack of developer education is named the biggest obstacle to writing secure software by over 41% of poll respondents and developers’ lack of security education was the most cited (67%) barrier to effectiveness. In other words, developer education is an area where the majority of software development teams could improve and provision of training and education could go a long way towards more effective application security practices.
AppSec and Developer Mostly Collaborate — But Not Always
Collaboration prevails between AppSec and Developer teams, but often they still operate independently. We asked attendees about the relationship between appsec and development teams in their organizations and how they worked together on security issues. The largest percentage of respondents — 45% — said the two teams collaborate. But 23% said security sets the rules and 26% said developers are free to act independently. When appsec and developer teams are not collaborating and one team or the other sets the rules or determines policies and practices, this often drives gaps between the teams. The gap results in less effective application security practice, policy and applications and makes it more difficult to effectively shift appsec left.
Ransomware the Most Feared Attack
We wanted to take a pulse of what types of cyberattacks were the most feared by conference attendees. Not surprisingly, given the widespread ransomware attacks of the past year, this form of attack ranked as the most worrisome at over 38% of responses. Supply chain attacks like Log4Shell and SolarWinds — which are often closely related to, or are used as pivot points to launch ransomware attacks — came in second, at over 23%.
SCA is the favored Technology to Boost AppSec
With the rise in open source code to become the dominant player in application development, security pros view software composition analysis (SCA) tools as the most important arrow in their quiver against insecure code. We asked, “Which tools are most effective in reducing risk and helping you write more secure software?” and allowed respondents to rank SCA, static application security testing (SAST), dynamic application security testing (DAST), penetration testing and code review in order. More than 50% of respondents ranked SCA as either the first or second most effective tool.
While the results are interesting, the question remains, if two-third use secure coding practices, and over half have at least basic DevSecOps why are attackers still so easily getting in?
We are grateful to all participants and can’t wait to see what they have to say at the next Secure Software Summit.