Despite showing moves toward earlier and more frequent security testing throughout the development process, there are still hurdles development and security teams must overcome when it comes to securing applications, according to Veracode.
Increased recognition, earlier testing
According to the survey, 40 per cent of developers are incorporating securing testing during the programming stage, and 21 per cent identify the design stage as the point at which security testing is completed. Testing early in the development process finds security defects in code at the point where it is the least costly to fix the defects.
Developers are recognising the importance of securing applications. 39 per cent of developers responded that their number one concern is protecting applications from cyberattacks and data breaches. Traditionally, developers were not focused on securing applications, and this shift in mindset helps explain the new emphasis on early testing reported in the survey.
Improving for the future
Despite the fact developers recognise the importance of securing software and the need for early security testing, areas for improvement remain. Developers are still dealing with security programmes that impede their development efforts. The report, which included respondents from the US, UK and Germany, also showed that that 52 per cent of developers feel application security testing often delays development and threatens deadlines. And, fewer than 25 per cent of developers feel they have authority over decisions regarding application security.
This lack of authority and impact of development timelines has the potential to decelerate the strides made in improving application security and making security part of the development process.
“In an age where continuous deployment and frequent innovation is critical to the success of business, it is unacceptable for security testing to hinder development efforts,” said Tim Jarrett, director of Security at Veracode. “As DevOps environments become a standard method of developing software, the industry has an opportunity to continuously improve the way it integrates security into the development process.”
Sensitive data exposure is top concern: 52 per cent of developers and managers cited sensitive data exposure as their top concern. This includes credentials and PII such as health data. Broken authentication and session management was the second concern at 37 per cent.
Regional differences: In Germany and the UK, 40 per cent of developers, and 38 per cent of development managers said stopping cyberattacks and breaches was their top concern, while in the US, the opposite was true: more development managers (42 per cent) than developers (34 per cent) listed this as their top concern.
Budget and delivery schedules: In Germany and the UK, 26 per cent of managers said meeting budget and delivery schedules was their top concern, versus just 18 per cent of development managers in the US.
Healthcare prioritises compliance: Developers and managers in the healthcare industry cited meeting customer and regulatory compliance as their top concern.
Despite risk, open-source is of little concern: Veracode’s recent SOSS Report showed that 97 per cent of Java applications had at least one component with a known vulnerability, yet the survey results showed that only 28 per cent said that using components with known vulnerabilities was a major concern.
Financial services and manufacturing late to the game: 11 per cent of financial services and 16 per cent of manufacturing companies said they incorporated security later in the development cycle.