Developers agree: Application security processes have a negative impact on productivity


86% of developers polled in a recent survey said every single aspect of appsec hinders their ability to push code.

Image: iStock/g-stockstudio

A new survey of developers has found that there isn’t a single application security (appsec) tool that at least 80% of developers said is inhibiting their productivity.

Application security involves tools used to find and fix vulnerabilities in applications, and the report, released by appsec firm ShiftLeft, makes it seem that all of those tools are thorns in developers’ collective sides.

SEE: Hiring Kit: Application engineer (TechRepublic Premium)

The degree to which various aspects of appsec hinder developer productivity vary from item to item, with the largest hindrance (according to 89.7% of respondents) being a disconnect between developer and security workflows. 

Following that disconnect come seven more problem areas, each worth mentioning because the least hindering one still causes problems for 81.3% of developers. From most to least troubling are: 

  • Performing security tests too late in the development cycle (88.7%)
  • A lack of remediation guidance (87.7%)

  • Poor quality of security testing results (86.2%)

  • Vulnerability patching that requires additional updates to connected code (85%)

  • A lack of dev friendly code analysis tools (84.4%)

  • Too much reliance on manual security processes (82.1%)

  • Speed of security testing software (81.3%)

Respondents indicated that most of the lost time spent securing apps comes during development and while apps are already in production (tied at 37.8%). 

Integrated developer environment (IDE)-based security tools were shown to be the least popular, and the survey said that developers “often disable” tools of that kind. “Inserting security while developers are writing code [was found] to be the biggest inhibitor of developer productivity,” the report said.

SEE: Microservices: The foundation of tomorrow’s enterprise applications (free PDF) (TechRepublic)

The report also found that securing code at the pull/merge request point was the least productivity-inhibiting method of appsec, but also found that workflow disconnects are the most widely-acknowledged hindrance, indicating that pull/merge appsec may not be as common as developers wish it were.

“It is clear that scaling to meet the needs of the modern SDLC is not something appsec can spend or hire its way to. Engaging developers and creating a culture of accountability amongst development teams to secure the code they write in a timely manner is the only way security can match the pace of modern development,” the report concluded. 

Developer-centric workflows are the key to improving appsec without sacrificing productivity time, and ShiftLeft said that static application security testing (SAST) and software composition analysis (SCA) are two of the better methods for developing dev-centric appsec processes. 

That doesn’t mean security teams should consider appsec completely in the hands of developers, the report added: Dynamic app security testing, penetration testing, and web app firewalls are all still necessary parts of the software development lifecycles that should be handled by security teams.

The key is to create “purpose-built developer workflows for developer-centric security tools,” freeing devs up to do what they need to do without interrupting their cycles, and letting IT handle the rest of the application security sphere.

Developer Essentials Newsletter

From the hottest programming languages to the jobs with the highest salaries, get the developer news and tips you need to know.

Sign up today

Also see

Hiring Kit: Application Engineer

  • Provided by
    TechRepublic Premium
  • Published
    June 9, 2020
  • Topic
    TechRepublic Premium
  • Format

To gain competitive advantage, modern business has turned to technologies like cloud computing and big data, but the benefits derived from those high-level concepts can only be reaped when there are applications built to exploit them. The application engineer creates, designs and tests computer software programs designed to meet pre-determined specifications and goals.

Application engineers work in the trenches of software development and are often required to first assess what a client, both internally and externally, needs, wants, and should want from a prospective or existing application. Only then does an application engineer have the framework necessary to begin the actual coding of a piece of software.

Application engineers need to have technical expertise in programming, design, business, and the software and hardware required to run the application. A skillset that not everyone possesses. This Hiring Kit: Application Engineer, from TechRepublic Premium, provides an adjustable framework your business can use to find, recruit, and ultimately hire the right person for the job.

People Also Downloaded