How often do developers push vulnerable code?

A Tromzo report reveals developers remediate only 32% of vulnerabilities and regularly push vulnerable code.

The report was based on a survey of more than 400 U.S.-based developers who work at organizations where they currently have CI/CD tools in place.

“These findings show that developers regularly ignore security issues, but can we really blame them?” said Tromzo CTO Harshit Chitalia. “Security teams are bombarding them with an endless stream of issues that need to be addressed with no way for them to separate what’s actually critical from all the noise, all while they are expected to release software more frequently and faster than ever before.

“If we want developers to truly implement security, we must make it easy for them. This means integrating contextual and automated security checks into the SDLC so we can transition from security gates to security guardrails.”

Developers and the vulnerable code

• 42% of developers push vulnerable code once per month. When a developer knowingly publishes code they believe to be vulnerable, it is clear that they think it is not their responsibility to fix the code before it is pushed or ​​other organizational pressures deprioritize security.
• Developers fix only 32% of known vulnerabilities. Given the volume of false-positive alerts that teams deal with today, fixing 32% of vulnerabilities could very well produce an acceptable result if developers could determine which 32% to fix. Unfortunately, without security training and experience, developers should not be expected to make that determination accurately.
• A third of vulnerabilities are noise. To reduce false-positive vulnerabilities, scans must have access to all of the required asset information so that security tools can accurately determine whether a vulnerability exists. Reducing security noise will allow developers to address security issues confidently.
• 33% believe that developers and security are siloed. When developers and security teams operate in insulated silos, it leads to inefficiencies and gaps in security across the software development lifecycle. These silos ultimately lead to security vulnerabilities and bad user experiences.