Results of a survey of 103 IT professionals attending the recent DeveloperWeek Austin conference suggests that awareness of cybersecurity issues is clearly rising among developers, yet most organizations still have a long way to go toward before approaching anything resembling adoption of best DevSecOps practices.
Conducted by WhiteHat Security, a unit of NTT Communications, the survey on DevSecOps adoption finds nearly 75% of developers worry about the security and 85% rank security as being a very important element of the coding and development process. However, nearly half of the respondents said their development teams lack a dedicated cybersecurity expert. Only 30% of respondents said they have achieved security certifications in their current or prior roles.
More than half (57%) of survey respondents said their teams have the right application security tools in place to incorporate security into the software development life cycle (SDLC). Among those respondents who do use application security tools, a third (33%) scan for vulnerabilities daily, while 29% said they scan weekly and 20% said monthly. The remaining 18% scanned either quarterly, annually or at random.
Also, 14% said they have not been given the proper tools to incorporate security into the SDLC and a third (33%) were unsure what their organizations provided in terms of cybersecurity tools.
While the survey finds 57% are realizing that application security should be a key part of the SDLC, it also finds 43% of respondents still prioritize meeting their application release deadlines over security.
WhiteHat CTO Anthony Bettini said it is apparent organizations are struggling to strike a balance between application delivery velocity and security. Organizations are under pressure to digitize more processes faster. However, that pressure can result in a lot more friction being created between developers trying to meet a deadline and cybersecurity professionals who ultimately are held accountable for the integrity of the overall IT environment, he noted.
To bridge that divide, Bettini said a lot more work needs to be done in terms of driving the convergence of processes, people and tooling required to achieve DevSecOps. On the plus side, however, he noted within many organizations, DevSecOps is starting to supersede DevOps as a development philosophy.
The biggest issue organizations may need to worry about as they strive to achieve that goal may be burnout. The survey finds more than half (52%) of participants have experienced burnout as a result of the intense pressures to deliver the applications on time that are secure.
Overall, the survey makes it clear developers at the very least are willing to pay a lot more attention to cybersecurity. Compared to the way developers tended to view cybersecurity just a few short years ago, that alone represents substantial progress. The challenge organizations face now is finding a way to make it as simple as possible for developers to do the right thing from a cybersecurity perspective. There always will be the natural temptation to address a security issue later in the development cycle to meet a deadline. The trouble is that when cybersecurity issues continue to get kicked down the DevOps road, they all too often wind up becoming a major issue after an application has already been deployed in a production environment.