A survey of 560 application security professionals and software developers in North America and Western Europe conducted by WhiteSource, a provider of tools for securing open source software, finds there’s a long way to go before most organizations can claim to have fully implemented best DevSecOps practices.
Only 20% of respondents said their organization had a mature set of DevSecOps practices in place, while 62% said they were improving. Only 18% described their organization’s approach to DevSecOp as being “immature.”
There is considerable disagreement concerning how long those efforts have been underway. While 60% of security professionals said they have had an application security program in place for at least a year, just over a third of developers (37%) said they are aware of an application security program running for longer than a year inside their organization.
Regardless of the length of the program, nearly three-quarters of all respondents (73%) said they feel forced to compromise on security.
Among application security professionals the top DevSecOps challenge identified was vulnerability prioritization (41%), followed by lack of application security skills (35%), budget (34%), lack of cooperation between developers and security teams (31%) and scanning performance (31%). Less than a third (31%) have a formal process in place to prioritize vulnerabilities.
There’s also considerable disagreement over whether an application security champion gets designated. Many application security professionals said they have one (60%), while only 40% of developers agreed. The survey also finds well over one-third of developers said their organizations (37%) don’t provide any secure code training. A mere 22% of developers said their organizations provide training regularly with another 20% reporting they have tools that allow for “ongoing independent training.” In contrast, only 27% of application security professionals said their organization does not offer secure code training.
Lilach Aviad, director of product marketing at WhiteSource, said the survey makes it apparent there are still lots of gaps when it comes to DevSecOps. Most organizations have embraced the concept but are still a long way from unifying workflows to better prioritize which vulnerabilities to address first.
Priorities are even fundamentally different when it comes to what features are most important in an application security tool. Application security professionals prized integration (48%) most of all, followed by accuracy and ease of use ties at 39%. Developers, in contrast, leaned toward accuracy (25%), followed more closely by integration (22%) and ease of use (21%).
Overall, the survey found the most widely employed application security tools are penetration testing, web application firewalls and application programming interface (API) gateways. The acquisition of these tools is most often justified to achieve either vertical industry regulations (25%) or industry standards (22%).
In general, Aviad noted when it comes to security there is still a lot of resentment among developers. Too often security tools have been selected by application security professionals with little regard to how those tools might fit within the context of a larger DevOps workflow, he said.
Obviously, it’s going to take time and effort for most organizations to merge workflows and culture. The good news is that process has begun in a lot of cases. Less clear is exactly how long it will take to complete.