Half of DevOps Teams Surveyed Pushing Vulnerable Code
Organizations continuing to strive for secure application development are nevertheless succumbing to growing pressure to get distributed apps out the door. Those time pressures and the sheer velocity and complexity of enterprise IT are prompting some to consciously deploy applications with known vulnerabilities, according to a new DevSecOps report.
The study by Enterprise Strategy Group (ESG) and commissioned by electronic design automation specialist Synopsys Inc, (NASDAQ: SNPS) reveals that 48 percent of respondents knowingly pushed vulnerable code to production due to time pressures.
Of those, about half do so “because the vulnerabilities identified were discovered too late in the [development] cycle to resolve them in time,” said Patrick Carey, product marketing director for the Synopsys Software Integrity Group.
While 69 percent of companies surveyed insist their application security processes are effective, most that knowingly push vulnerable code on a regular basis have suffered “production application exploits” over the last year.
Time pressures and infrastructure complexity have combined to undermine DevSecOps efforts. “Most security teams lack an understanding of modern application development practices,” said Dave Gruber, a senior ESG analyst. “The move to microservices-driven architectures and the use of containers and serverless architectures has shifted the dynamics of how developers build, test and deploy code.”
Making matters worse, a separate study released this week found that application developers are relying heavily on open source application software and dependencies. Popular code repositories have become a “reliable and scalable malware distribution channel,” the security vendor Sonatype reported in this week in a status report on the software supply chain.
Harried applications developers also complain that poorly integrated security tools add “friction,” further slowing development cycles. An equal number, about one-quarter of respondents, complained that poor integration of security and DevOps tools is a “common challenge.” “Security and development teams are driven by different metrics, making objective alignment challenging.” Gruber said.
With developers effectively the gatekeepers for application security, a bare majority of survey respondents said they expect to invest more over the next 12 months in securing apps, including 44 percent who said they would focus on security for cloud-native applications.
In the meantime, organizations are struggling with the proliferation of incompatible application security tools, prompting greater investments in consolidating security tools. The survey found that 70 percent of companies polled use more than ten tools. About one-third said they are also focusing on security tool consolidation.
The survey findings are available here.