Tromzo has released the findings from their report, based on a survey of 403 US-based application security practitioners who work at organizations where their development team uses CI/CD systems.
“The findings confirm our belief that security teams must make improving their relationship with developers a major priority in 2022,” said Harshil Parikh, CEO of Tromzo. “They can do this by making security easy for developers. This means integrating security checks into the SDLC and transitioning from security gates to security guardrails so security can become a first-class citizen once and for all.”
The state of application security
Application security posture confidence remains high, yet 67% have experienced an incident in the past year. The juxtaposition of these two facts highlights the need for better visibility into what’s happening between AppSec and Development teams. If security teams are confident that security precautions are being implemented in the development environment when, in fact, they are not, there exists an increased risk of a severe security incident.
40% have 5,000 or more security vulnerabilities that need to be addressed, and that rate has quickly increased over the past 12 months. This explosion in vulnerabilities is a universal problem that AppSec teams must address sooner rather than later.
42% are seeing more false positives and noise than ever before. False positives and alert noise are by-products of security tools that lack context and are deployed during the quality assurance stage rather than end-to-end approach.
Reducing friction between developers and security would have the most significant impact on improving the application security program. Any attempt to minimize conflict between security and a development team that doesn’t include shifting security left is not likely to succeed. As long as security is a gate implemented at the end of the development cycle, it will cause developer friction and cause delays in deploying secure applications.
Developers ignoring security is the greatest challenge. This problem will only be solved by a platform that enables AppSec teams to keep pace with modern development and scale their application security program.
Integrating security checks throughout the SDLC would dramatically improve the relationship with developers. We must transition from security gates to security guardrails that empower developers to develop secure code.