CA affiliate Veracode has announced the results of a study examining the relationships between application developers and security teams.
The study, conducted in conjunction with Enterprise Strategy Group (ESG), shows that despite the pervasive belief that security and development teams have conflicting priorities, initiatives such as creating DevOps environments and focusing on product innovation have the two teams aligned toward a common goal of creating secure software. In fact, according to the research, 58% of survey respondents stated their organisation is taking a collaborative approach to securing applications.
The research aims to determine security and development professionals’ views of application security and software development trends. Among respondents reporting their organisation currently uses application security solutions like static application security testing, 43% report their organisation does so because including application security in the development process is more efficient than reactively patching production systems.
Interestingly, 45% of respondents whose organisation has adopted formal DevOps principles and best practices indicate DevOps makes the software development team’s job easier, and only 8% feel adding application security into the development process would slow down a DevOps environment. This is contrary to the common perception that a focus on security will slow down software development.
“Software continues to be the major driver of innovation and economic growth. Eliminating perception that there is friction between security and development is a priority for IT professionals,” says Pete Chestna, director of developer engagement, Veracode. “The positive perception of how security and DevOps can align, as indicated by this research, shows that development teams can and should consider security an integral part of their process.”
This development could not come at a better time for businesses, as attacks leveraging software vulnerabilities are increasingly common and damaging. WannaCry is the most recent example, exploiting vulnerability in an older version of the Microsoft Windows operating system. While Microsoft had issued a patch for the vulnerability, thousands of organisations had not implemented the fix and became infected by WannaCry.
The research also indicates showed that nearly 70% of respondents plan to increase Application Security investments in the next 12 to 24 months. This increased investment further validates the growing importance of Application Security in the development process.
The research points to the need for application security to become an integrated part of the DevOps process – the combination increasingly known as DevSecOps – and that this need is both recognized and accepted. The data also highlights the technology requirements necessary to make DevSecOps a reality. Tool complexity and the inability to integrate application security into the DevOps workflow are major obstacles to organisations deploying these tools effectively. In fact, the ability to integrate static software testing and software lifecycle tools (42%) and the ability to integrate dynamic software testing and software lifecycle tools (34%) into the application development and DevOps processes was the most cited consideration when evaluating static and dynamic application security testing products and services respectively.
“Contemporary application development methodologies such as DevOps foster communication and collaboration between the application development, operations and security teams with the goal of identifying and fixing vulnerabilities as early as possible to increase efficiency and enhance security,” says Doug Cahill, senior analyst at ESG. “The increased adoption of DevOps combined with the eagerness to integrate and automate security testing throughout the entire software lifecycle indicates a shift towards DevSecOps, which means thinking of secure code as an element of creating quality code.”