Security Teams and Software Developers Join Forces to Pursue Better Security
July 14, 2017

Anand Akela
Tricentis

Despite the pervasive belief that security and development teams have conflicting priorities, initiatives such as creating DevOps environments and focusing on product innovation have the two teams aligned toward a common goal of creating secure software, according to a new study from Veracode, CA Technologies application security business.

See Infographic Below

Download Full Report Here

In fact, according to the research, which was conducted in conjunction with Enterprise Strategy Group (ESG), 58 percent of survey respondents stated their organization is taking a collaborative approach to securing applications.

Growing Need for DevSecOps

The research aims to determine security and development professionals' views of application security and software development trends. Among respondents reporting their organization currently uses application security solutions like static application security testing, 43 percent report their organization does so because including application security in the development process is more efficient than reactively patching production systems.

Interestingly, 45 percent of respondents whose organization has adopted formal DevOps principles and best practices indicate DevOps makes the software development team's job easier, and only eight percent feel adding application security into the development process would slow down a DevOps environment. This is contrary to the common perception that a focus on security will slow down software development.

"Software continues to be the major driver of innovation and economic growth. Eliminating perception that there is friction between security and development is a priority for IT professionals," said Pete Chestna, Director of Developer Engagement, Veracode. "The positive perception of how security and DevOps can align, as indicated by this research, shows that development teams can and should consider security an integral part of their process."

This development could not come at a better time for businesses, as attacks leveraging software vulnerabilities are increasingly common and damaging. The WannaCry ransomware attack is the most recent example, exploiting a vulnerability in an older version of the Microsoft Windows operating system. While Microsoft had issued a patch for the vulnerability, thousands of organizations had not implemented the fix and became infected by WannaCry.

The research also indicates showed that nearly 70 percent of respondents plan to increase Application Security investments in the next 12 to 24 months. This increased investment further validates the growing importance of Application Security in the development process.

DevOps Influencing Technology Requirements

The research points to the need for application security to become an integrated part of the DevOps process – the combination increasingly known as DevSecOps – and that this need is both recognized and accepted. The data also highlights the technology requirements necessary to make DevSecOps a reality.

Tool complexity and the inability to integrate application security into the DevOps workflow are major obstacles to organizations deploying these tools effectively. In fact, the ability to integrate static software testing and software lifecycle tools (42 percent) and the ability to integrate dynamic software testing and software lifecycle tools (34 percent) into the application development and DevOps processes was the most cited consideration when evaluating static and dynamic application security testing products and services respectively.

"Contemporary application development methodologies such as DevOps foster communication and collaboration between the application development, operations and security teams with the goal of identifying and fixing vulnerabilities as early as possible to increase efficiency and enhance security," said Doug Cahill, Senior Analyst at ESG. "The increased adoption of DevOps combined with the eagerness to integrate and automate security testing throughout the entire software lifecycle indicates a shift towards DevSecOps, which means thinking of secure code as an element of creating quality code."

Methodology: The study, commissioned by Veracode and conducted by ESG, surveyed 400 IT professionals in the US, UK and Germany.


Anand Akela is VP of Product Marketing at Tricentis
Share this

Industry News

January 26, 2023

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available.

January 26, 2023

Mirantis, freeing developers to create their most valuable code, today announced that it has acquired the Santa Clara, California-based Shipa to add automated application discovery, operations, security, and observability to the Lens Kubernetes Platform.

January 25, 2023

SmartBear has integrated the powerful contract testing capabilities of PactFlow with SwaggerHub.

January 25, 2023

Venafi introduced TLS Protect for Kubernetes.

January 25, 2023

Tricentis announced the general availability of Tricentis Test Automation, a cloud-based test automation solution that simplifies test creation, orchestration, and scalable test execution for easier collaboration among QA teams and their business stakeholders and faster, higher-quality, and more durable releases of web-based applications and business processes.

January 24, 2023

Harness announced the acquisition of Propelo.

January 23, 2023

Couchbase announced its Couchbase Capella Database-as-a-Service (DBaaS) offering on Azure.

January 23, 2023

Mendix and Software Improvement Group (SIG) have announced the release of Mendix Quality & Security Management (QSM), a new cybersecurity solution that provides continuous deep-dive insights into security and code quality to immediately address risks and vulnerabilities.

January 23, 2023

Trunk announces the public launch of CI Analytics.

January 23, 2023

Panaya announced a new Partnership Program in response to ongoing growth within its partner network over the past year.

January 23, 2023

Cloudian closed $60 million in new funding, bringing the company’s total funding to $233 million.

January 19, 2023

Progress announced the R1 2023 release of Progress Telerik and Progress Kendo UI.

January 19, 2023

Wallarm announced the early release of the Wallarm API Leak Management solution, an enhanced API security technology designed to help organizations identify and remediate attacks exploiting leaked API keys and secrets, while providing on-going protection against hacks in the event of a leak.

January 19, 2023

ThreatModeler launched Threat Model Marketplace, a cybersecurity asset marketplace offering pre-built, field-tested threat models to be downloaded — free for a limited time — and incorporated into new and ongoing threat modeling initiatives.

January 18, 2023

Software AG has launched new updates to its webMethods platform that will simplify the process by which developers can find, work on and deploy new APIs and integration tools or capabilities.