ITWeb, in partnership with Accenture and Micro Focus, conducted a DevOps survey during September 2020 to find out how companies were approaching threat modelling in their application development projects.
A total of 216 valid responses were captured - 40% of respondents are at exec or mid management level, 44% are at staff level and the rest are software consultants.
Here are the key findings:
- When asked how they approach threat modelling in their application development process, 39% of respondents indicated that all applications went through threat modelling and attack vectors were addressed during implementation. However, 21% reported that threat modelling was not done in the project at all.
- 24% said their team had basic secure coding skills but needed guidance to code security concepts in-depth, while a further 19% reported that “some developers are trained with security coding practices” but not all.
- One third of respondents said real time collaboration exists between security engineer and software engineer teams. But in 13% of the participating companies, there is no collaboration as software and security teams mostly operate in silos.
- Nearly half of the respondents (46%) believe standards are well defined in their project team and team members understand and are able to implement them.
- Asked if the app development project follows any standard metrics or KPIs, 28% said they followed internally defined metrics; while 26% have industry standard metrics applied in the project.
- Security is monitored and tools are used for both monitoring and reporting by 36% of participating software teams.
- 32% reported that only key/strategic projects are scanned for open source component analysis. 28% do it only on request.
- Nearly a quarter (24%) say that all code - both application and infrastructure - is considered for automated security testing.
- When asked how feedback is provided to developers on issues found in scans, 26% said that scan reports are sent to developers directly with no automation in the process.
- Just about a third (31%) indicated that software component analysis is integrated in CI server as a job in the DevOps pipeline.