Over the last month or so, we’ve talked about security professionals becoming frustrated with executives over the speed in which they want applications and features released. Execs tend to care less about the security involved and more about the revenue it can bring in when released quickly. This typically results in a breach of some kind, causing a disconnect between AppSec and developers, and increases the frustration of security professionals who warned that it would happen. What we have discussed here has now been validated by a survey conducted by ShiftLeft.
According to their survey, which recorded responses from 165+ participants from April -June 2020, the top four insights were:
- Nearly 70% of software development organizations are releasing multiple times per month or more and 17.7% of organizations daily or faster
- The top 4 ways of integrating security into the SDLC are also the 4 least productive
- 96% Developers believe disconnected security & development workflows inhibit their productivity
- 93% of AppSec professionals believe that poor quality of security scanning/testing results inhibit developer productivity
If you go back to previous articles on InfoSec burnout and the shortage of coders in IT today, you will see that we previously discussed this as a problem. There is a huge disconnect between security and application development, and it’s not really on either of those departments to adjust. AppSec and developers are working at different paces, with AppSec unable to keep up. Dev is rushing through apps using dirty coding because managers are dictating it to be done that way, which is largely coming from someone higher up who wants it done now.
Companies want to go fast, they want to run before ensuring the ground they are running on is solid and not icy. This is what causes the problem, why there is a disconnect between security and development. On top of this, most coders are not taught security when they learn to code. Which only compounds the problem because they are doing what they are told, but then they have to go back and re-do work that’s already been done because it isn’t secure. Good coders hate that. Most people in general don’t like to re-do work that’s already been deemed complete. It’s frustrating and tedious.
There are two ways to combat this problem. First, educate coders on the importance of secure coding. Once they learn how their practices are actually enabling hackers, they will quickly adjust how they work. They will work security into their code and stand right next to the AppSec department, demanding that they be entrusted to do their job the correct way rather than being forced to rush through it. Second, higher ups and executives must understand why AppSec and Dev need to work hand in hand, why security is paramount in today’s world. The disconnect is causing friction among departments in corporations nationwide because industry practices are not keeping up with security practices.
Hackers tactics change on a regular basis, they have to in order to discover new ways to breach information since security is ramping up in many places. If businesses want to keep their customer, client and employee information safe, then security practices must be a priority. Going fast to get a product out could lead to a detrimental problem, one which not only sees a breach of information, but results in complete business loss as a side effect.
The survey by ShiftLeft only proves what most InfoSec and IT professionals already know: There’s a problem in the way apps and features are rolled out, in the way they are tested and how they are secured. It’s causing friction, the disconnect between AppSec and developers, contributing to burnout and ultimately forcing people to choose other career paths for their own mental health. It’s time for executives to take notice. Without these professionals on staff, business is going to get really tough, and keeping the people who are willing to put up with the nonsense is going to get expensive. If the problem can be solved now, it will go a long way toward saving a lot of businesses from losing it all.