A variety of cultural factors continue to get in the way of producing secure code, including ill-defined responsibilities, incentives that prioritize features over security, and a lack of training — leaving developers estimating that as many as 40% of vulnerabilities escape code checks and testing to remain in production code.
The divided nature of software development and deployment is evident in responses to this year's "Global Pulse of AppSec" survey, conducted by application security firm Checkmarx: Thirty-eight percent of developers blamed slower deployment as the most significant challenge to application security, while 41% of application security managers blamed a lack of adoption of tools by developers. Despite that, 93% of software developers said they feel confident or very confident that their applications are secure, up from 81% last year, according to the firm.
While the survey suggests that companies are focused on security, most are not near the level of maturity that they need to be, says Sandeep Johri, CEO of Checkmarx.
"They're getting better, but most are a long way from being good enough," he says. "We do see some outstanding security and DevSecOps teams, but many teams have a way to go on their journey to becoming highly effective at catching vulnerabilities."
Cultural factors seem to outweigh technology issues in the continuing release of vulnerable applications. Even identifying who has the most responsibility for security is a tough task for most companies. More than a third (36%) of chief information security officers pointed to AppSec teams as those most responsible for application security, more than a quarter (28%) pointed to operations teams, and 20% pointed to developers, according to the Checkmarx report.
Overall, the share of applications with vulnerabilities has increased. In 2022, 84% of applications had at least one vulnerability, the highest level yet — albeit tied with 2020 — while 48% of applications had a high-risk vulnerability, down from 2020 but higher than 2018, according to the "Open Source Security and Risk Analysis" (OSSRA) report published by application security firm Synopsys.
The good news is that scans show that application security tools are catching vulnerabilities in the pipeline, rather than letting them escape to production.
"DevOps teams are definitely getting better at catching vulnerabilities before they are released because adoption of specialized application security tools in the pipeline has increased," says Nivedita Murthy, an associate principal consultant at Synopsys.
'Honeymoon Period' Ending?
Yet many development teams are still either not focused on security or do not have organizational support to pursue better security. Nearly a quarter (23%) of the respondents to Checkmarx's survey indicated that they had often shipped known-vulnerable code into production, for example, with an additional 45% sometimes shipping known-vulnerable code.
Data from the scans conducted by clients of another application security firm, Veracode, indicates that about 23% of applications continue to have flaws — a different take on the life cycle of the vulnerabilities in a software application. Typically, there is an immediate downward trend after a company adopts a software analysis toolset, followed by a two-year period where fewer flaws are typically introduced, says Robert Rhame, head of market intelligence at Veracode.
"We suspect this is because there is an organizational will to burn down the flaw debt, and then a steady state is achieved," he says. "After this initial two-year 'honeymoon period,' applications tend to accumulate more flaws as well as introduce more flaws."
The increase in vulnerabilities — and the lack of staying power of initiatives to secure software — may be caused by developers' shifting roles. Because most companies lack a way to keep institutional knowledge, security know-how is often lost when developers leave or move onto other projects, says Synopsys' Murthy.
"While companies are getting better at AppSec and catching the most critical vulnerabilities, there is still a long way to go to remediation and reduction because development teams often change quickly, and there is no sustainable learning experience being implemented to ensure vulnerabilities are reduced over time," she says.
Developer Behavior Matters
Despite a variety of different metrics that can lead to different views on the security of software, AppSec experts agree that developer culture and behavior makes a great deal of difference in companies' efforts. Security teams and DevOps teams should be incentivized to collaborate, have visibility into security at a high level, and strive to improve their security maturity, says Checkmarx's Johri.
"Companies that have broken down the barriers between the CISO organization and the DevOps team and that have taken a more holistic approach to security are those who are most successful," Checkmarx's Johri says. "Generally, companies that have been aggressive in their move to the cloud are further along in application security because they have cleaner architectures, and it's easier to consume new tools in that type of environment."
In addition, while having a good culture improves the chance of having a secure development life cycle, tools do help. Specifically, automated scans that can be launched via an API likely indicate a well-integrated pipeline and less likelihood that vulnerabilities will escape to production, says Veracode's Rhame.
"A team that scans often and regularly will bring their debt down to zero or close to it, and it will stay there," he says. "A team that does not scan regularly could very well be deploying code into production without the process of scanning beforehand."