Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/15/2019
02:30 PM
50%
50%

Software Developers Face Secure Coding Challenges

Seven in ten developers are expected to write secure code, but less than half receive feedback on security, a survey finds.

More organizations are adopting agile programming practices and secure development lifecycles, but most fail to provide developers the tools and processes they need to produce secure code. 

A newly published survey conducted by DevOps service provider GitLab found that 70% percent of programmers are expected to write secure code, but only 25% think their organization's security practices are "good." The gap between the expectations to which developers are held responsible and the reality of their work environments underscores the problems that companies face in securing their software, says Kathy Wang, senior director of security at GitLab.

"I do think that [on] the security side of the industry — the  state of it right now — we are still in a reactive mode," she says. "There are a lot of companies out there that are moving toward the DevOps mindset, but I think most have not made the transition yet." 

GitLab in its survey interviewed more than 4,000 developers, managers, and executives at software-producing companies, about 60% of whom are customers of GitLab, to suss out the trends affecting developers. The vast majority of companies are focused on some form of agile software development, with 50% using Scrum in some development groups, 37% using Kanban, and 36% using DevOps. Another 17% continue to use the more methodical waterfall development practice, the survey found.

Among the major issues they cite is security and how the production of secure code is handled at the companies. While agile methodology aims to break down barriers between groups — with DevOps' push for a single development and operations pipeline being the most obvious example —companies have trouble in practice, the survey found.

"The idea that 'everyone is responsible for security' might be the ideal but it can also be part of the problem as 'everyone' can easily turn into 'no one,'" the report stated. "Security professionals often complain about being on the outside, while developers and operations teams can resent being told how to prioritize their work."

Testing 1-2-3

While 45% of companies have some form of continuous code deployment in the organization (one measure of agile development), half of developers believe that most vulnerabilities continue to be found only after merged code is exported into a test environment; they say they encounter the most delays during the testing stage of development.

Not catching software defects during the development process increases the cost of fixing the issues dramatically, Wang says. 

"We have application security teams and code scanning, but not every company is using those tools," she says. "If you don't use it, you are relying on manual code review and things are missed, which means you are finding things after the fact, after code is committed, and that is much more expensive."

The survey found significant security benefits with a mature DevOps implementation: security teams are three times more likely to find vulnerabilities before code is merged. About a third of teams automated the use of static scans every time code is committed, and a bit more than quarter had inline security features that checked code as it is written.

Scanning for out-of-date dependencies is the most common type of security check, with 56% of those surveyed using the feature. Only 35% of companies used static analysis security testing (SAST) and 22% used dynamic analysis security testing (DAST), according to the survey.

In all, testing coverage extended to more than 90% of code in the most mature 14% of DevOps teams. 

"You want to make sure that developers are as educated as possible about secure coding processes," Wang says. "You want tools, and with DevOps, you have more advanced components that you want to deploy."

The security metrics that respondents deemed to be most important were the severity of vulnerabilities, the time lapsed since a vulnerability was discovered, the mean time to resolution, and the number of vulnerabilities reported.

One particular interesting tidbit: Developers who mainly work from remote locations more often rated their maturity of their organization's security practices higher than those developers who work at the office. Wang did not have an explanation for the gap in perceived security practices.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3006
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
CVE-2015-5361
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
CVE-2020-6803
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
CVE-2020-6804
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
CVE-2019-4301
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.