The shift-left revolution is upon us. Just because it’s a cliche, doesn’t mean it’s not true. As software development organizations continue to implement DevOps culture, processes, and tools, developers are adopting the practice of testing and ensuring the security of their applications as early as possible in the DevOps pipeline.
This is quite a change from the traditional waterfall method. There, developers dealt with the design and creation of a product or application and security professionals came in after they were finished, to review and test security, flagging any possible issues and sending them back to the software teams to figure it out.
This fundamental change in the way companies are addressing application security affects many of the moving parts in a software outfit. It requires a new set of processes, practices and tools all to be implemented, all while keeping up with today’s fast-paced release cycles.
To gain an understanding and insight on how developers are handling this hefty challenge, we polled more than 600 developers in software organizations and asked them about how security figures into their day-to-day tasks and processes, and the tools that help them to address their evolving roles.
Developers: Owning Their Shift Left
The first thing that we wanted to learn is whether developers are on board with the shift-left approach that most organizations have adopted for security testing. Our findings showed that, for the most part, developers are taking ownership of the day-to-day operational responsibility for AppSec in their organizations, playing a more significant role on this front to secure their products.
When asked who owns the day-to-day operational responsibility for AppSec in their organizations, 23% answered that developers own those responsibilities, 21% said DevOps, 28% said software development team leaders owned it and only 29% said security teams in their organizations are the owners.
The fact that a whopping 71% of developers put the ownership of AppSec squarely on the shoulders of software development and DevOps folks means that developers are very much on board with the shift-left movement and have taken on the new security tasks that come along with that.
Breaking it down, we also found that in smaller organizations, more developers and DevOps professionals feel that they own their AppSec responsibilities, while those percentages go down with larger organizations. This can be explained by the fact that often smaller companies have less specialization, requiring developers to branch out of their professional comfort zone. Smaller organizations also tend to allow developers more freedom and flexibility to define their own processes.
Do these responses mean that in addition to their focus on innovation, functionality and quality, developers have also added security into their considerations when they are in the process of creating and building projects?
The answer would appear to be yes, according to 58% of developers in our survey, with an additional 39% saying that security figures into their consideration when issues arise (14%) or that they validate security before deployment (25%). Only 3% of developers said that security is none of their concern since it slows them down.
Are you taking security into consideration when developing software?
While their responses show that there is still a ways to go before security is completely baked into development processes, it’s clear that most developers are already in the right direction, making security a priority within their tight schedules.
The AppSec Process: Who’s On First?
How does making security a top priority or at least a consideration figure into the different phases in the DevOps pipeline? Practically, where is it being applied? We asked developers at which phase in the software development life cycle (SDLC) they started testing their AppSec.
Their answers showed once again that developers are taking on security where it traditionally was not a part of their workflow. In fact, many replied that they are integrating security testing tools as early as the pre-build stage, with 36% of the respondents saying that they are testing in their IDE and repositories.
Survey results also showed that along with the DevOps processes, they are also adopting tools that help them to shift security further left. 68% of developers report using at least one AppSec technology such as SAST, DAST, SCA, IAST or RASP. All of these automated solutions help security teams and developers detect potential security issues in their products, providing software teams with visibility and control over their AppSec.
A Question of Remediation
Until now, survey results show that developers have taken their place on the front lines of AppSec and the shift-left revolution, arming themselves with an impressive collection of automated detection tools. However, these solutions are creating a new set of issues that should worry stakeholders.
It appears that the much-needed security testing tools are threatening to bury development teams under a mountain of alerts, which they are now required to research and remediate while keeping up with their deadlines. It’s impossible for developers to keep up with all of the security alerts in their inbox, especially considering that many AppSec tools were developed for security teams and focused on widespread coverage (detecting all potential issues), rather than accuracy and prioritization.
This poses quite a challenge for developers, who say that they are spending a substantial chunk of their very valuable time dealing with remediation-related tasks. A full 42% of the respondents reported that they spend between two and 12 hours each month on these tasks, while another 33% said that they spend 12 to 36 monthly hours on them.
In light of these time-heavy statistics, it is clear that developers need new technologies and practices that will allow them to prioritize security without slowing down the development life cycle and costing them so many valuable work hours.
Helping Developers Win the Race to Remediation
The survey results showed that developers today are required to take the lead when it comes to application security, but need more backup to do so. Detection tools can take developers part of the way, but to empower them through to remediation, organizations must provide them with developer-focused solutions that can help them to close the loop from detection to remediation.
Once developers are alerted to a newly detected security vulnerability in their project, they need to validate it, assess its impact, research remediation options and perform the remediation path chosen. Currently, these are all time-consuming manual processes that require a level of skill and proficiency.
With developers poised to face security head-on, organizations expecting them to fully address AppSec need to provide them with the tools that will easily integrate into their native environments and help them take vulnerability management one step further, enabling them to prioritize security alerts so that they can get to the most burning issues first and even automate their remediation process.