Despite concerns over software security, many companies have not assigned a cybersecurity leader to help secure their applications — a problem that will only worsen as demand for technical security experts deepens worldwide.
In data published on Nov. 21, software security firm WhiteHat Security found that three-quarters of developers are worried about the security of their applications, and about seven out of eight consider security to be an important development consideration, but only half of these teams have a dedicated cybersecurity expert. The "Developer Security Sentiment Study," which produced the data, found that about 49% of development teams lack a dedicated cybersecurity leader and 43% prioritize deadlines over secure coding.
"While developers' concerns about securing their code are on an upward trajectory, it's clear the industry has a long way to go," said Joseph Feiman, chief strategy officer for WhiteHat Security, in a statement. "Developers are on the front lines when it comes to protecting their organizations from cyberattacks, and they need the right tools and training to handle this burden."
Holes in software security reflect the impact of companies' shift toward more agile programming methodologies. In the past, most IT dollars were spent by the actual IT organizations, and while that's still true, the budget of non-IT groups, such as DevOps, are growing, says Greg Young, vice president of cybersecurity at security firm Trend Micro.
In 2020, businesses will be either a "have" or a "have-not" when it comes to security, he says.
"AppSec, cloud security, and securing DevOps are very doable, but they take new models, not just new tools," Young says. "The 'haves' will manage AppSec well, such as building security into DevOps by providing container and workload security automatically and managing cloud security postures even when they are in cloud spaces the company didn't know they owned. The 'have-nots' will continue to try and force DevOps into older security models, rather than adapting themselves, and miss out on innovation opportunities while getting hacked."
Adding to the pressures on companies and their ability to incorporate security into their development and operations is the general shortage of knowledgeable cybersecurity workers. Organizations that integrate security into their development life cycles generally have better security outcomes, but the shortage in workers means they have to pay a high price to do so, says Anthony Bettini, chief technology officer for WhiteHat Security.
"Companies that are able to pay for experienced AppSec people do," he says. "Companies whose budgets do not permit this either assign the role to someone internally or hire more junior folks from outside. The best approach likely depends on the organization based on their budget and time scale for the outcomes they desire to achieve."
Unsurprisingly, more than half of security professionals — 52% — have burned out at their job, according to the WhiteHat report.
Companies also have to worry about newer threats that affect software development, such as locking down their application programming interfaces (APIs) from abuse and security threats. More than a quarter of companies have detected reconnaissance attempts on their API servers, which make data and services available to Web and mobile applications, according to a survey of 100 attendees conducted by CloudVector at the Cyber Security and Cloud Expo. Another 16% do not know whether they have been attacked.
"The reality is likely [that the number of attacks is] much higher given that most organizations lack the capability to detect these threats," said Ravi Balupari, vice president of engineering and threat research at CloudVector, in a blog post. "The lack of visibility into API payloads is a major blind spot."
Developing in-house expertise in these cybersecurity threats does not seem to be a priority either. Only 30% of developers have received some sort of security certifications in their current or previous jobs, according to the WhiteHat survey.
There is good news, however. The vast majority of development teams — 82% — said they scan their software at least monthly, the survey found.
- A Security-First Approach to DevOps
- White-Hat Bug Bounty Programs Draw Inspiration from the Old West
- Why Hackers Are in Such High Demand, and How They're Affecting Business Culture
- DevSecOps: The Answer to the Cloud Security Skills Gap
- AppSec 'Spaghetti on the Wall' Tool Strategy Undermining Security
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Home Safe: 20 Cybersecurity Tips for Your Remote Workers."