Security analysts want more help from developers to improve DevSecOps

security-analysts-want-more-help-from-developers-to-improve-devsecops

More training on security tools and better performance metrics can accomplish this, according to a new survey.

A survey of 378 security professionals and software developers found that time pressures forced companies to push vulnerable code to production.

Image: Synopsys

Developers and security analysts are working together on a daily basis to build more secure applications but training is still not a top priority, according to a new survey. Synopsys Inc. published the results of a survey conducted by Enterprise Strategy Group (ESG) in the “Modern Application Development Security” eBook. The survey asked software and security professionals about collaboration, training, and security tools.

Seventy-eight percent of respondents said their security analysts are directly engaged in the software development process with 31% working directly with developers to review individual features and code, 28% working with developers to do threat modeling, and 19% participating in daily scrums. 

SEE: Quick Glossary: DevOps (TechRepublic Premium)

Most companies require software developers to complete some security training but not on a regular basis:

  • Quarterly: 29%
  • Annually: 17%
  • When hired: 20%
  • Just-in-time: 17%

The other issue is that only 15% of respondents said that a majority of developers participate in formal security training. 

Dave Gruber, a senior analyst at ESG and the author of the report, said that part of the problem is that security and development teams have different metrics and objectives.

“This is further exacerbated by the fact that most security teams lack an understanding of modern application development practices,” he said in a press release. “The move to microservices-driven architectures and the use of containers and serverless architectures has shifted the dynamics of how developers build, test, and deploy code.” 

The survey also found that 48% of respondents push vulnerable code to production due to time pressures and 60% report exploits from some of the OWASP top 10 vulnerabilities.  The survey also asked who makes the decision to push code and the responsibility was split between the development team, the security team, or sometimes both:

  • Team decision: 28%
  • Development manager: 24%
  • Security analyst: 21%

Managing multiple tools

Forty-three percent of respondents said they have between 11 and 20 individual application security tools in place. At the same time, 54% said this volume was only a minor problem. Half of the respondents said their companies plan to increase spending on these tools over the next year. The top spending priorities, according to the survey, are securing cloud application development processes (43%) and consolidating tools to simplify the overall process (34%).

Survey respondents listed these issues as the top five challenges with testing tools:

  • Limited ability of developers to mitigate the issues identified: 29%
  • Lack of integration between application security vendor tools: 26%
  • Additional friction to development cycles: 26%
  • Limited use of existing security tools by developers: 24%
  • Lack of ability to aggregate and deduce findings from various tools: 24%

Synopsys recommends that AppDev security programs include these 10 elements to be the  most effective:

  1. Application security controls are highly integrated into the CI/CD toolchain.
  2. Application security best practices are formally documented.

  3. Application security training is included in the development security training program.

  4. Development managers are responsible for communicating best practices to developers.

  5. A high percentage of developers participate in formal security training.

  6. Security issue introduction is tracked for individual Dev teams.

  7. Formal processes and metrics track continuous improvement of application security.

  8. Continuous improvement metrics are tracked for individual Dev teams.

  9. Security issues are tracked during the code development process.

  10. Automated risk aggregation tools roll up risk to keep senior Dev leaders informed.

Synopsys commissioned ESG to conduct this survey of security and application development professionals in June 2020. ESG surveyed 378 people in manufacturing, financial services, construction/engineering, and business services companies in the US and Canada. 

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays



Sign up today

Also see

Security analysts: Industry has not solved the talent gap or provided clear career paths

security-analysts:-industry-has-not-solved-the-talent-gap-or-provided-clear-career-paths

New survey finds that cybersecurity professionals want more training to keep up with the threat landscape and learn new software platforms.

Cybersecurity professionals want more guidance about how to build a career in the field, according to a new survey.

Image: ESG

A small study found that many cybersecurity professionals are only somewhat confident in their CISOs and never get enough training time, but they like their jobs, mostly.

Enterprise Strategic Group (ESG) and the International Systems Security Association (ISSA) released its fourth annual cooperative research report The Life and Times of Cybersecurity Professionals 2020. The groups also conducted a second survey to understand the impact of COVID-19 on cybersecurity.

 

Jon Oltsik, a senior principal analyst and fellow at ESG, analyzed the survey results with answers from 327 professionals. The results showed that:

  • 68% of respondents said they don’t have a well-defined career path
  • 65% said their companies don’t provide enough training
  • 45% believe the cybersecurity skills shortage has gotten worse over the past few years
  • 29% said they’ve experienced significant personal issues due to job stress or they know someone who has

Oltsik said that the industry has not found the answer to the talent gap. 

“This is a people-centric practice and we’re still behind,” he said. 

At the same time, 77% said they are happy overall as a cybersecurity professional. 

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

The workplace impact of the skills shortage include: 

  • An increasing workload for existing analysts
  • Unfilled open job requisitions
  • An inability to learn or use cybersecurity technologies to their full potential 

Oltsik said companies are not providing enough time for professional development.

“We need to keep up with training but at the same time we are too busy to keep up with training,” he said.

Oltsik said that companies that get it right have strong mentoring programs and allocate time for continuous training on a regular basis. Investing time and money in training results in better security and better morale which can lower the attrition rate. “This means changing work schedules and paying people overtime to cover for other people in training,” he said.

Oltsik said mentoring programs have to be formal and mentors should be measured on the success of their mentees. 

Another effect of scrimping on training is making the ROI on security tools harder to realize. Among survey respondents who said that they didn’t have enough training time, 38% said this includes learning how to use security software. 

“Companies are spending money on expensive tools but not giving people enough time to figure out how to use them correctly,” he said.

Among the respondents who have a CISO at their company, 47% said the executive was somewhat effective with 42% grading the leader as very effective.

Respondents listed communication and leadership skills as the two most important skills for a CISO.

Oltsik said that CISOs are often hampered by corporate leaders who don’t take cybersecurity as seriously as they should.

Limited confidence in cybersecurity defenses

In this year’s survey, the two organizations asked respondents to grade how well individual companies and the industry as a whole is doing to keep up with cybersecurity challenges. From the government to schools to private companies, no one got a good rating. Sixty-four percent of respondents believe their organization should be doing somewhat or a lot more to address cybersecurity challenges. This suggests a disconnect between business, IT, and security teams, or a lack of cybersecurity knowledge at the board level.

And 68% of respondents said that cybersecurity technology and service vendors should be doing somewhat or a lot more to address cybersecurity challenges. A majority of respondents also said that the cybersecurity community at large, government agencies, and public schools should all be doing more.

WFH boosts collaboration

One bright spot in the COVID-19 study was that respondents said working from home is improving collaboration among departments. Slightly more than one-third of organizations have experienced significant improvement in coordination between business, IT, and security executives as a result of COVID-19 issues.  Thirty-eight percent have seen marginal improvements, and 21% aren’t convinced but hold out hope for coordination improvement.

Oltsik said the survey found that security teams were mostly prepared to support completely remote teams but not for the scale and the urgency of the shift. 

 

“All these things became much more front and center: Policy management, remote user security, and insider attacks,” he said. 

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays



Sign up today

Also see