Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/15/2019
02:30 PM
50%
50%

Software Developers Face Secure Coding Challenges

Seven in ten developers are expected to write secure code, but less than half receive feedback on security, a survey finds.

More organizations are adopting agile programming practices and secure development lifecycles, but most fail to provide developers the tools and processes they need to produce secure code. 

A newly published survey conducted by DevOps service provider GitLab found that 70% percent of programmers are expected to write secure code, but only 25% think their organization's security practices are "good." The gap between the expectations to which developers are held responsible and the reality of their work environments underscores the problems that companies face in securing their software, says Kathy Wang, senior director of security at GitLab.

"I do think that [on] the security side of the industry — the  state of it right now — we are still in a reactive mode," she says. "There are a lot of companies out there that are moving toward the DevOps mindset, but I think most have not made the transition yet." 

GitLab in its survey interviewed more than 4,000 developers, managers, and executives at software-producing companies, about 60% of whom are customers of GitLab, to suss out the trends affecting developers. The vast majority of companies are focused on some form of agile software development, with 50% using Scrum in some development groups, 37% using Kanban, and 36% using DevOps. Another 17% continue to use the more methodical waterfall development practice, the survey found.

Among the major issues they cite is security and how the production of secure code is handled at the companies. While agile methodology aims to break down barriers between groups — with DevOps' push for a single development and operations pipeline being the most obvious example —companies have trouble in practice, the survey found.

"The idea that 'everyone is responsible for security' might be the ideal but it can also be part of the problem as 'everyone' can easily turn into 'no one,'" the report stated. "Security professionals often complain about being on the outside, while developers and operations teams can resent being told how to prioritize their work."

Testing 1-2-3

While 45% of companies have some form of continuous code deployment in the organization (one measure of agile development), half of developers believe that most vulnerabilities continue to be found only after merged code is exported into a test environment; they say they encounter the most delays during the testing stage of development.

Not catching software defects during the development process increases the cost of fixing the issues dramatically, Wang says. 

"We have application security teams and code scanning, but not every company is using those tools," she says. "If you don't use it, you are relying on manual code review and things are missed, which means you are finding things after the fact, after code is committed, and that is much more expensive."

The survey found significant security benefits with a mature DevOps implementation: security teams are three times more likely to find vulnerabilities before code is merged. About a third of teams automated the use of static scans every time code is committed, and a bit more than quarter had inline security features that checked code as it is written.

Scanning for out-of-date dependencies is the most common type of security check, with 56% of those surveyed using the feature. Only 35% of companies used static analysis security testing (SAST) and 22% used dynamic analysis security testing (DAST), according to the survey.

In all, testing coverage extended to more than 90% of code in the most mature 14% of DevOps teams. 

"You want to make sure that developers are as educated as possible about secure coding processes," Wang says. "You want tools, and with DevOps, you have more advanced components that you want to deploy."

The security metrics that respondents deemed to be most important were the severity of vulnerabilities, the time lapsed since a vulnerability was discovered, the mean time to resolution, and the number of vulnerabilities reported.

One particular interesting tidbit: Developers who mainly work from remote locations more often rated their maturity of their organization's security practices higher than those developers who work at the office. Wang did not have an explanation for the gap in perceived security practices.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...