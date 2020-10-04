Comment: 73% Of Security Professionals And Developers Sacrifice Security For Speed

A couple of days ago, WhiteSource released its DevSecOps Insights Report, which was aimed at better understanding the level of DevSecOps maturity inside organisations.

20% of respondents described their organisations’ DevSecOps practices as “mature”, while 62% said they are improving practices and 18% as “immature”. Additional key insights from the report included:

  • In order to meet short deployment cycles, 73% of security professionals and developers feel forced to compromise on security.
  • AppSec tools are purchased to ‘check the box’, disregarding developers’ needs and processes, resulting in tools being purchased but not used.
    • Developers don’t fully use the tools purchased by the security team. The more the mature an organisation is in terms of its DevSecOps practices, the more AppSec tools they use.
  • There is a significant “AppSec knowledge and skills gaps” challenge that is largely neglected by organisations.
    • While 60% of security professionals say they have had an AppSec program in place for at least a year, only 37% of developers surveyed reported that they were not aware of an AppSec program running for longer than a year inside their organisation.
  • Security professionals’ top challenge is prioritisation, but organisations lack the standardised processes to streamline vulnerability prioritisation.
EXPERTS COMMENTS
Tim Mackey, Principal Security Strategist,  Synopsys CyRC
October 04, 2020
To realise the potential of this paradigm, security leaders need to embed the knowledge within the development flow.
Prioritisation of feature development relative to security has long been a challenge, but it’s not without a solution. In a DevSecOps world, empowering development teams can result in higher quality code with fewer security defects. To realise the potential of this paradigm, security leaders need to embed the knowledge within the development flow and not simply bolt it on at the end of the devel ....
