A new survey of developers has found that there isn’t a single application security (appsec) tool that at least 80% of developers said is inhibiting their productivity.
Application security involves tools used to find and fix vulnerabilities in applications, and the report, released by appsec firm ShiftLeft, makes it seem that all of those tools are thorns in developers’ collective sides.
SEE: Hiring Kit: Application engineer (TechRepublic Premium)
The degree to which various aspects of appsec hinder developer productivity vary from item to item, with the largest hindrance (according to 89.7% of respondents) being a disconnect between developer and security workflows.
Following that disconnect come seven more problem areas, each worth mentioning because the least hindering one still causes problems for 81.3% of developers. From most to least troubling are:
- Performing security tests too late in the development cycle (88.7%)
- A lack of remediation guidance (87.7%)
- Poor quality of security testing results (86.2%)
- Vulnerability patching that requires additional updates to connected code (85%)
- A lack of dev friendly code analysis tools (84.4%)
- Too much reliance on manual security processes (82.1%)
- Speed of security testing software (81.3%)
Respondents indicated that most of the lost time spent securing apps comes during development and while apps are already in production (tied at 37.8%).
Integrated developer environment (IDE)-based security tools were shown to be the least popular, and the survey said that developers “often disable” tools of that kind. “Inserting security while developers are writing code [was found] to be the biggest inhibitor of developer productivity,” the report said.
SEE: Microservices: The foundation of tomorrow’s enterprise applications (free PDF) (TechRepublic)
The report also found that securing code at the pull/merge request point was the least productivity-inhibiting method of appsec, but also found that workflow disconnects are the most widely-acknowledged hindrance, indicating that pull/merge appsec may not be as common as developers wish it were.
“It is clear that scaling to meet the needs of the modern SDLC is not something appsec can spend or hire its way to. Engaging developers and creating a culture of accountability amongst development teams to secure the code they write in a timely manner is the only way security can match the pace of modern development,” the report concluded.
Developer-centric workflows are the key to improving appsec without sacrificing productivity time, and ShiftLeft said that static application security testing (SAST) and software composition analysis (SCA) are two of the better methods for developing dev-centric appsec processes.
That doesn’t mean security teams should consider appsec completely in the hands of developers, the report added: Dynamic app security testing, penetration testing, and web app firewalls are all still necessary parts of the software development lifecycles that should be handled by security teams.
The key is to create “purpose-built developer workflows for developer-centric security tools,” freeing devs up to do what they need to do without interrupting their cycles, and letting IT handle the rest of the application security sphere.