New Report: Speed and Security Are Both Possible in Software Development - Part 1
August 19, 2020

Taylor Armerding
Synopsys

Software development teams are driven by speed. Yes, they care about quality and features, but the real pressure is to move fast — faster than the competition.

Security teams are driven by exactly what their title says — security.

Both of which are good and necessary things to deliver what the market wants: Quality products that are the latest and greatest and aren't littered with vulnerabilities that can put users at risk.

But those very different, and often competing, pressures make it difficult for those teams to find common ground. Developers frequently view the security team as an obstacle — the people who slow them down. Security teams tend to view developers as in too much of a rush to care if what they deliver to the market can be easily hacked.

Add to that the reality that many security teams don't understand modern application development practices, including the move to microservices-driven architectures and the use of containers, and the divide gets even wider.

To look more deeply into the specifics of this divide, Synopsys commissioned IT analyst and research firm Enterprise Strategy Group (ESG) to document the dynamics between development and security teams regarding deployment and management of AppSec solutions.

That report, Modern Application Development Security, polled 378 qualified respondents in cybersecurity and application development. They represented several industries including manufacturing, financial services, construction/engineering, and business services, throughout the US and Canada.


And among its key findings was that when there is a contest between speed and security, speed wins. Nearly half (48%) of respondents reported that their organizations knowingly deploy vulnerable code to production due to time pressures.

That finding deserves some context — it doesn't mean organizations and their development teams don't care about security.

First, there is no way to deploy perfect code. So the reality is that while 48% admit to deploying vulnerable code, everybody is doing it some of the time. And that is not always a bad thing. As a recent Gartner paper on DevSecOps put it, "Perfect security and zero risk are impossible." Which means that trying to make code perfect would mean never deploying anything.


Or, as ESG put it, "Application security requires a constant triage of potential risks … that allow development teams to mitigate risk while still meeting key deadlines for delivery."

However, there is a difference between setting priorities — knowingly letting some lower-risk defects remain — and failing to find more significant vulnerabilities until it is so late in the SDLC that they don't get addressed.

And that is obviously happening. A majority (60%) acknowledged production application exploits involving OWASP Top 10 vulnerabilities in the past 12 months.


To address that problem takes both people and technology, the report found.

The people part is not a new problem. And what is encouraging is that it is getting lots of attention. Tanya Janca, now founder and security trainer at We Hack Purple Academy but at the time a senior cloud developer advocate for Microsoft, spoke about it more than a year ago at the 2019 RSA conference in San Francisco.

In a presentation titled Security Learns to Sprint: DevSecOps, she said a main reason security isn't more of a core element of the software development life cycle (SDLC) is because development and security teams tend to view one another not just with suspicion, but sometimes outright hostility.

This year, RSA featured an entire day of sessions on how to make DevSecOps teams function more cooperatively and effectively.

But cooperation usually takes understanding. And the less encouraging news is that there is still an understanding gap, in part because of a lack of basic training in security.

Go to New Report: Speed and Security Are Both Possible in Software Development - Part 2

Taylor Armerding is Senior Security Strategist at Synopsys
Share this

Industry News

September 24, 2020

NetApp announced the availability of Elastigroup for Microsoft Azure Spot Virtual Machines (VMs).

September 24, 2020

CloudBees announced a robust new set of DevSecOps capabilities for CloudBees CI and CloudBees CD. The new capabilities enable customers to perform early and frequent security checks and ensure that security is an integral part of the whole software delivery pipeline workflow, without sacrificing speed or increasing risk.

September 24, 2020

Pulumi announced the release of a Pulumi-native provider for Microsoft Azure that provides 100% coverage of Azure Resource Manager (ARM), the deployment and management service for Azure that enables users to create, update and delete resources in their Azure accounts.

September 23, 2020

Puppet announced new Windows services, integrations and enhancements aimed at making it easier to automate and manage infrastructure using tools Windows admins rely on. The latest updates include services around Group Policy Migration and Chocolatey, as well as enhancements to the Puppet VS Code Extension, and a new Puppet PowerShell DSC Builder module.

September 23, 2020

Red Hat announced the release of Red Hat OpenShift Container Storage 4.5, delivering Kubernetes-based data services for modern, cloud-native applications across the open hybrid cloud.

September 23, 2020

Copado, a native DevOps platform for Salesforce, has acquired ClickDeploy.

September 22, 2020

CloudBees announced general availability of the first two modules of its Software Delivery Management solution.

September 22, 2020

Applause announced the availability of its Bring Your Own Testers (BYOT) feature that enables clients to manage their internal teams – employees, friends, family members and existing customers – and invite them to test cycles in the Applause Platform alongside Applause’s vetted and expert community of testers.

September 22, 2020

Kasten announced the integration of the K10 data management platform with VMware vSphere and Tanzu Kubernetes Grid Service.

September 21, 2020

PagerDuty entered into a definitive agreement to acquire Rundeck, a provider of DevOps automation for enterprise.

September 21, 2020

Grafana Labs announced the release of Grafana Metrics Enterprise, a modern Prometheus-as-a-Service solution designed for the scale, architecture, and security needs of enterprises as they expand their observability initiatives.

September 21, 2020

Portshift's Cloud Workload Protection platform is now available through the Red Hat Marketplace.

September 17, 2020

env0, a developer of Infrastructure-as-Code (IaC) management software, announced the availability of its new open source solution for Terraform users, Terratag.

September 17, 2020

Push Technology announced a partnership with Innova Solutions, an ACS Solutions company, specializing in global information technology services.

September 17, 2020

Alcide achieved the AWS Outposts Ready designation, part of the Amazon Web Services (AWS) Service Ready Program.