Software developers, the vast majority of whom rely heaving on open source components, are increasingly expected to take on the day-to-day operational responsibility for application vulnerability, a move that is largely being driven by the shorter development cycles that are enabled by new DevOps practices and tools.
However, it appears that the tools available for end-to-end application security are not up to the task of dealing with security vulnerabilities from alerts to remediation in the current DevOps scenario.
That was one of the key findings in the recently released “Developer Survey Report” from WhiteSource, an open source security and licence compliance management company. The survey, which gathered responses from 650 developers in North America and Europe, set out to establish how developers are coping with the increased complexity of application security.
“The survey reflects what we have been hearing from our partners and customers, which is that vulnerability management tools must meet the needs of the teams using them,” said WhiteSource CTO Doron Cohen.
The survey revealed that 71% of organisations have shifted responsibility for application vulnerabilities to software development teams. Traditionally, security of applications has been in the hands of the organisation’s security professionals: developers would design and build the product, and the security experts would perform their reviews and flag issues for remediation before release – often leading to lengthy delays and bottlenecks.
Information security teams are becoming 'irrelevant' as application security testing shifts into the early stages of software development.
Now, information security teams are becoming “irrelevant” as application security testing shifts into the early stages of software development where vulnerabilities are easier to detect, and quicker and less costly to remediate.
Despite this increased reliance on developers, under 60% say security is a top priority and they have processes in place to detect and remediate vulnerability. One quarter of respondents said they simply make sure the code is secure before deployment, while 14% only think about security when issues arise. A tiny minority – less than 5% – don’t think about security at all because “it slows them down”.
The survey found a strong correlation between companies in which developers state they rely heaving on open source components, and companies that test their applications’ security before the build.
Nevertheless, asked which factors they check before downloading an open source component, aside from functionality, less than half (47%) stated that they check for reported open source vulnerabilities.
Developers are increasingly carrying out these security checks using free, automated Software Composition Analysis (SCA) tools that generally have limited capabilities – and usually only enable the developer to identify vulnerabilities. Remediation is a whole different story.
In fact, 25% of developers only report on detected vulnerabilities and 53% take action only in specific cases.
WhiteSource believes that a reason why more developers do not take action probably lies in the fact that most application security tool’s main goal is only to detect, alert and report.
“We believe the time has come for a new generation of security tools built for developers, focused not only on detecting but also on prioritising issues, as well as automating remediation processes, to help developers handle the workload, and enable them to fix reported issues,” the report concludes.
Share