The vast majority of organizations are increasing their investment in application security this year, but they continue to struggle to fully embrace secure innovation. A market study released by Invicti Security examines how companies are contending with the strategic need to innovate and the existential risk posed by cyber threats.
The report is based on a survey of 600 executives and hands-on-keyboard practitioners across security, development and DevOps spanning over 20 industries including manufacturing, technology, government, retail, and education.
Skipped security steps
Tight timelines and innovation pressures for those on the front lines mean skipped security steps. And, integration is still a work in progress: 70% of respondents “frequently” or “always” complete projects without carrying out all security steps.
Additionally, integration into the software development life cycle (SDLC) is lacking, with only 20% reporting they have fully shifted left and another third in the “messy middle.” The repercussions of this are clear, with one in three issues under remediation making it to production without being caught in the dev or test stages.
Dev and sec suffering increased stress levels
Dev and sec are collectively stressed out, but the animosity between the two groups has been exaggerated. An eye-popping 78% of dev and sec respondents suffered increased stress levels this year and 73% actually considered quitting their job because of this stress.
Despite the well-known reputation for friction between the two groups, 76% feel they have a shared passion for security and work as one team that often collaborates to address security issues. This compares with only 17% who classified the relationship as “frenemies” and 7% “strangers.
Underpowered tools and manual processes impeding efficiency
Underpowered tools and manual processes impede efficiency, but practitioners know what it will take to address the problem. It would take a whopping two weeks per team member on average to address their organization’s current backlog of security issues — and that’s if they don’t work on anything else. Adding to this, 78% say they are forced to perform manual verification of vulnerabilities always or frequently.
False positives no doubt play a role in this: 96% report they are problematic at their organization, and 39% say they increase friction between dev and sec. But these teams know what it will take to dig out of the mess: increased automation (60%) and more integrations (99%).
“It’s on leaders to set the tone from the top-down and drive organizational culture shifts that increase emphasis on security and equip teams with the powerful tools and effective workflows they need to make secure innovation a reality.”