Whitesource DevSecOps Insights

Security vs. Developers: The DevSecOps Showdown

Download Full Report

IS DEVSECOPS MORE THAN A BUZZWORD FOR ORGANIZATIONS?

DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. Developers share ownership of security, and the traditional silos between development and security teams are broken down.

Most organizations believe they are in the process of adopting DevSecOps tools and practices. But are they really?

We surveyed over 560 application security professionals and software developers to find out.

Key Insights

01
Most security professionals and developers feel forced to compromise on security in order to meet deadlines.
02
AppSec tools are purchased to ‘check the box’, disregarding developers’ needs and processes.
03
Huge gaps in AppSec knowledge and skills among developers are neglected by organizations.
04
Security professionals’ top challenge is vulnerability prioritization, but the lack of standardized processes leads to friction with developers.
73

OF SECURITY PROFESSIONALS AND DEVELOPERS FEEL FORCED TO COMPROMISE ON SECURITY

Most security professionals and developers believe their organizations are in the process of adopting DevSecOps tools and practices.

If both teams feel they are neglecting security to stay on schedule, something in the DevSecOps process is broken

When it comes to choosing AppSec tools, security professionals barely consider developers’ adoption

Automated AppSec tools help speed up security — if developers are willing to adopt them.

Unfortunately, most security professionals barely consider developers’ adoption when choosing an AppSec tool.

When considering an AppSec tool, which of the following are most important to you?
#1
Early detection
#2
Ease of integration and implementation
#3
Full path coverage
#4
Compatibility to tech stack
#5
Ease of use
#6
Developer's adoption
#7
Scanning performance

Developers do not get training (although security professionals believe they do)

Even though lack of skilled personnel was the second biggest challenge listed by security, secure coding training is neglected by organizations.

The divide between security and development teams is again reflected by the differences in training perception between security professionals and developers.

Which secure coding training initiatives do you currently employ, if any?
Security Developers

We do not have a secure code training program at our organization

27%
40%

Developers receive an annual training on secure coding

26%
20%

Our secure code training program is performed regularly for our developers

25%
21%

Developers receive training tools, allowing them to train themselves independently on secure coding best practices

22%
19%

Vulnerabilities prioritization is a top challenge for security, but most organizations lack a standardized process

Without a standardized prioritization process, friction between development and security teams rises, and remediation is delayed.

An AppSec champion helps bridge the skills gap, and supports prioritization processes. When cooperation is encouraged, standardized processes for prioritization are more common.

Teams with an AppSec champion have nearly twice the chance to easily reach an agreement with a standardized process.

To what extent do the security team and development team in my organization agree on which application vulnerabilities need to be fixed?
We have an agreed-upon process to determine priorities We sometimes agree, but we follow ad hoc practices and separate guidelines We rarely agree

With AppSec Champion

40%
57%
3%

Without AppSec Champion

21%
60%
19%
25% 50% 75% 100%

Learn more about the divide between
security and development and how to overcome it

Download Full Report