Moving the safety to the left is a work in progress
What are the main security concerns for applications and developers?
As part of the inaugural Secure Software Summit event, ShiftLeft surveyed conference attendees on a wide range of topics related to application security, supply chain security and the current threat environment of cybersecurity. The survey included responses from a wide range of hundreds of participants, spanning large tech and non-tech companies, governments, universities and industry experts. In this article, we will address some of the questions and comment on the results. Overall, we found that the movement of moving security to developers remains a work in progress, with encouraging results and room for improvement.
A third of development teams do not follow secure coding practices
Securing coding practices is the foundation of any effort to write more secure applications. We asked, “How often does your development team use secure software practices?” The good news? 65% of respondents indicated that their teams use secure coding practices most or all of the time. This still leaves a strong minority of teams that only use secure coding practices occasionally or almost never. Incomplete adoption of secure coding practices is concerning but understandable – AppSec and development teams need sufficient support, training and budgets to implement secure coding practices and these are not not always available.
DevSecOps adoption is underway
Although DevSecOps can be widely discussed, it remains in the early stages of adoption. We asked, “How mature is your DevSecOps practice?” More than half have at least basic DevSecOps, but 41.7% are still in the learning-seeking phase or have no DevSecOps. The result ? Lots of noise around DevSecOps, but it’s still not widespread or a top priority for development teams.
Developer training remains the biggest barrier to securing code
Nearly a third of respondents said that all of their developers have received training in secure software development. That said, lack of developer training is cited as the biggest barrier to writing secure software by more than 41% of survey respondents, and lack of developer training in security was the biggest barrier. cited (67%) to effectiveness. In other words, developer training is an area where the majority of software development teams could improve, and providing training and education could go a long way toward more effective application security practices.
AppSec and the developer mainly collaborate, but not always
Collaboration prevails between the AppSec and Developer teams, but they often operate independently. We asked participants about the relationship between AppSec and development teams in their organizations and how they work together on security issues. The largest percentage of respondents – 45% – said the two teams collaborate. But 23% said security makes the rules and 26% said developers are free to act independently. When AppSec and developer teams don’t collaborate and one team or the other sets the rules or determines the policies and practices, it often creates gaps between the teams. The gap results in less effective application security practices, policies, and applications and makes it more difficult to effectively move application security to the left.
Ransomware the most feared attack
We wanted to take the pulse of the types of cyberattacks most feared by conference attendees. Unsurprisingly, given the widespread ransomware attacks of the past year, this form of attack ranked as the most worrisome with over 38% of responses. Supply chain attacks like Log4Shell and SolarWinds – which are often intertwined or used as pivot points for launching ransomware attacks – came in second, at over 23%.
SCA is the preferred technology to boost AppSec
With the rise of open source code to become the dominant player in application development, security professionals see software composition analysis (SCA) tools as the most important arrow in their quiver against code. Insecure. We asked, “What tools are most effective at reducing risk and helping you write more secure software?” and allowed respondents to rank SCA, static application security testing (SAST), dynamic application security testing (DAST), penetration testing, and code review in order. More than 50% of respondents ranked SCA as the first or second most effective tool.
While the results are interesting, the question remains, if two-thirds use secure coding practices and more than half have at least basic DevSecOps, why do attackers still get in so easily?
We are grateful to all participants and look forward to seeing what they have to say at the next Secure Software Summit. Secure Software Summit brings together the world’s leading secure software development innovators, practitioners and scholars to share and teach the latest methods and breakthroughs in secure coding and deployment practices designed to entertain, teach and enlighten. View event recordings here: https://www.techstrongevents.com/Secure-Software-Summit.
Secure Software Summit Findings originally appeared in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog – Medium written by the ShiftLeft team. Read the original post at: https://blog.shiftleft.io/secure-software-summit-findings-e2d8b23cc8e5?source=rss—-86a4f941c7da—4