More organizations are adopting agile programming practices and secure development lifecycles, but most fail to provide developers the tools and processes they need to produce secure code.
A newly published survey conducted by DevOps service provider GitLab found that 70% percent of programmers are expected to write secure code, but only 25% think their organization's security practices are "good." The gap between the expectations to which developers are held responsible and the reality of their work environments underscores the problems that companies face in securing their software, says Kathy Wang, senior director of security at GitLab.
"I do think that [on] the security side of the industry — the state of it right now — we are still in a reactive mode," she says. "There are a lot of companies out there that are moving toward the DevOps mindset, but I think most have not made the transition yet."
GitLab in its survey interviewed more than 4,000 developers, managers, and executives at software-producing companies, about 60% of whom are customers of GitLab, to suss out the trends affecting developers. The vast majority of companies are focused on some form of agile software development, with 50% using Scrum in some development groups, 37% using Kanban, and 36% using DevOps. Another 17% continue to use the more methodical waterfall development practice, the survey found.
Among the major issues they cite is security and how the production of secure code is handled at the companies. While agile methodology aims to break down barriers between groups — with DevOps' push for a single development and operations pipeline being the most obvious example —companies have trouble in practice, the survey found.
"The idea that 'everyone is responsible for security' might be the ideal but it can also be part of the problem as 'everyone' can easily turn into 'no one,'" the report stated. "Security professionals often complain about being on the outside, while developers and operations teams can resent being told how to prioritize their work."
While 45% of companies have some form of continuous code deployment in the organization (one measure of agile development), half of developers believe that most vulnerabilities continue to be found only after merged code is exported into a test environment; they say they encounter the most delays during the testing stage of development.
Not catching software defects during the development process increases the cost of fixing the issues dramatically, Wang says.
"We have application security teams and code scanning, but not every company is using those tools," she says. "If you don't use it, you are relying on manual code review and things are missed, which means you are finding things after the fact, after code is committed, and that is much more expensive."
The survey found significant security benefits with a mature DevOps implementation: security teams are three times more likely to find vulnerabilities before code is merged. About a third of teams automated the use of static scans every time code is committed, and a bit more than quarter had inline security features that checked code as it is written.
Scanning for out-of-date dependencies is the most common type of security check, with 56% of those surveyed using the feature. Only 35% of companies used static analysis security testing (SAST) and 22% used dynamic analysis security testing (DAST), according to the survey.
In all, testing coverage extended to more than 90% of code in the most mature 14% of DevOps teams.
"You want to make sure that developers are as educated as possible about secure coding processes," Wang says. "You want tools, and with DevOps, you have more advanced components that you want to deploy."
The security metrics that respondents deemed to be most important were the severity of vulnerabilities, the time lapsed since a vulnerability was discovered, the mean time to resolution, and the number of vulnerabilities reported.
One particular interesting tidbit: Developers who mainly work from remote locations more often rated their maturity of their organization's security practices higher than those developers who work at the office. Wang did not have an explanation for the gap in perceived security practices.