Nearly half (48%) of organizations regularly push vulnerable code into production in their application security programs due to time pressures, while 31% do so occasionally, according to a new report published by Synopsys entitled Modern Application Development Security.
As a result, 60% have reported production applications exploited by OWASP top-10 vulnerabilities in the past 12 months.
This is despite the fact most organizations believe their security programs are very good, with an average rating of 7.92 out of 10 given by 378 IT, cybersecurity and application development professionals surveyed by the Enterprise Strategy Group (ESG). More than two-thirds (69%) rated their security program as eight or above.
The study was commissioned to look at the convergence of application security tools, which is becoming increasingly complex, with 72% of organizations stating that they now utilize more than 10 of these tools.
As such, it was found that 43% of organizations believe that DevOps integration is the most important aspect of improving application security programs. Yet 23% of respondents said that poor integration with development/DevOps tools is a common challenge to achieving this, while 26% identified difficulty or lack of integration between different application security vendor tools.
Dave Gruber, senior ESG analyst, said: “DevSecOps has moved security front and center in the world of modern development; however, security and development teams are driven by different metrics, making objective alignment challenging.”
The biggest challenge highlighted was a lack of knowledge in mitigating issues identified on the part of developers (29%). This suggests there is currently insufficient developer security training taking place, and 35% of organizations revealed that less than half of their development teams are participating in formal training.
Speaking to Infosecurity, Patrick Carey, director of product marketing at Synopsys, commented: “As high velocity application development continues to grow in popularity through methodologies such as DevOps, it is critically important to ensure that security is considered throughout the software development lifecycle.
“That way, if the decision is consciously made to push vulnerable code due to time pressures, critical and high-risk vulnerabilities will have been resolved beforehand. By educating organizations on how to apply a holistic software security program and guiding them in their journey to implement DevSecOps cultures, we’ll see the prevalence of knowingly pushing vulnerable code drop. Enabling developers with security tools and training resources that in no way slow down their momentum is a highly beneficial step in that process.”