Source: ZeroNorth and Ponemon Institute

Organizations are facing a growing disconnect between security and DevOps teams, creating a tall order for CISOs to implement change. Seventy-five percent of application security practitioners and 49% of developers believe there is a cultural divide between their respective teams that could increase organizational risk, according to a new study by the Ponemon Institute and ZeroNorth, a provider of risk-based vulnerability orchestration across applications and infrastructure.

Speed is the culture of DevOps, which often runs counter to the culture of security–risk averse and rigid, according to the study. But as digital transformation takes hold, the two entities stress that AppSec teams and developers need to work well together. With DevOps methodology seeing more adoption, teams are delivering software at continually higher velocities.

The Ponemon Institute surveyed 581 security practitioners and 549 developers on the cultural divide, its implications, the impact of COVID-19 and teleworking on the divide, and how to bridge the divide.

SEE: Top 5 benefits of DevOps (TechRepublic)

The findings highlight both the software delivery and security impacts resulting from the cultural divide across AppSec and developer teams. For example, more than half of developers (56%) said AppSec stifles innovation, according to the study.

However, 65% of AppSec professionals said they believe developers do not care about securing applications early in the software development lifecycle.

AppSec and developers must share a culture centered on delivering secure applications and develop a shared understanding of risk, ZeroNorth and the Ponemon Institute said.

Yet, the teams are not aligned on this front. Only 35% of developers said application risk is increasing while 60% of AppSec professionals believe this to be true, according to the report.

CISOs need to empower both groups

“As this survey shows, the cultural divide is here today, and will become more exacerbated as organizations move towards DevOps, rendering the traditional, centralized model for security obsolete,” said ZeroNorth CEO, John Worrall, in a statement. “We believe this opens the doors for CISOs to become a pillar that supports the bridge between AppSec and development cultures.”

If CISOs enable a culture that empowers both development and security to execute on their priorities, they can transform the status quo—which is stifling innovation—while significantly improving security, Worrall said.

The research “reveals the serious impact the AppSec and developer cultural divide can have on an organization’s security posture,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement.

There are five steps ZeroNorth and Ponemon Institute recommend organizations should take to help bridge the cultural divide:

  • Ensure sufficient resources are allocated to ensure applications are secured in the development and production phase of the SDLC

  • Apply application security practices consistently across the enterprise

  • Ensure developers have the knowledge and skill to address critical vulnerabilities in the application development and production life cycle

  • Conduct testing throughout the application development, and

  • Ensure testing methods scale efficiently from a few to many applications.

One of the main issues the research disclosed is that developers and AppSec practitioners don’t agree on which function is responsible for the security of applications. Thirty-nine percent of developers said the security team is responsible, while 67% of AppSec practitioners said their teams are responsible, the report said.

Another finding is that AppSec and developer respondents admit working together is challenging, with AppSec respondents saying it is because the developers publish code with known vulnerabilities, the report said. Conversely, developers said security does not understand the pressure of meeting their deadlines and security stifles their ability to innovate.

Digital transformation is putting pressure on organizations to develop applications at increasing speeds, which puts security at risk. The study found that 65% of developer respondents said they feel the pressure to develop applications faster than before the digital transformation, and 50% of AppSec respondents agreed.

The impact of COVID-19 and telework on the cultural divide

One thing both groups overwhelmingly agree on is that teleworking is stressful: 66% of developers and 72% of AppSec respondents. Only 29% of developers and 38% of AppSec respondents said they are very confident that teleworkers are complying with organizational security and privacy requirements.

Additionally, 74% of AppSec and 47% of developer respondents said their organizations were highly effective at stopping security compromises before COVID-19. After the pandemic started, only one-third of both sets of respondents said their effectiveness is high, the report said.