Developers Care About Security, but the Infosec Team Cares More
Assuming that developers are lazy about security is unfair. In fact, a recent DZone survey of 540 developers about application security indicated 54 percent think that they, the developers, should be responsible for security. If you’re a security pro, you probably just groaned.
Developers care about security, just not to the same degree as their information security counterparts. Security is just one of many considerations while the infosec team is continuously focused on testing and compliance. In fact, according to the same DZone survey, 60 percent said that release schedules have overridden security concerns at their organization.
The SANS Institute’s 2017 State of Application Security: Balancing Speed and Risk provides more perspective with its survey of 214 IT professionals, two-thirds of which work in security-focused roles. When asked about the top challenges to implementing applications security to production systems, the top response was “bridging the gap between software development, security and compliance,” and the second most cited was “silos between security, development and business units.”
It appears that everyone knows that testing should be integrated into the entire software development lifecycle. Getting everyone to prioritize this is a different story. One of the biggest reasons for the continuing gap is that while testing is more likely to be a security responsibility, remediation falls into development’s laps.
According to the SANS Institute report, developers are the most likely to be responsible for taking corrective action, while internal and external security testers focus on identifying problems. There is widespread agreement that communication across job roles can align goals. Another way to improve a company’s security posture could be building cross-functional teams with designations such as DevOps or DevSecOps.
Can organizational and c-level commitment be the panacea for app security? If you know of other data sources showing a link, or lack of, between Infosec, DevOps, and AppDev, please let us know.
Feature image via Pixabay.