DevOps study: Report claims increasing developer role in AppSec
A new report from WhiteSource examines the role of developers regarding application security. What free tools do developers use and which are best suited for the job? What part of a team should handle AppSec? Compare your company to the results and see what insights the study reveals.
Security concerns continue to remain a top consideration for developers. A recent report from WhiteSource examines the complexities behind application security and how developers approach AppSec.
As DevOps becomes more mature, new security issues arise. How can we improve AppSec? When we spoke with Tim Mackey last year at DevOpsCon, he discussed some of the challenges developers face when it comes to application security. Mackey predicted that over time, the rate of security disclosures will increase and web services APIs introduce new risk profiles. (The biggest advice he offers? When you find a security issue, report it.)
What tools do developers use and which are best suited for the job? What part of a team should handle application security? Let us take a look at the WhiteSource report and see what takeaways it offers.
Security for developers
Whose job is application security? The split consensus reveals overlapping answers between DevOps, security teams, developers, and software dev team leaders. With the advent of DevOps, many teams are shifting left and giving developers more control over how application security is handled.
Most developers responded that they take security into consideration when developing software. Only 3% of respondents say they do not care about security because it slows their process down. 58% of developers responded that security is their number one priority during software development.
Who remediates security issues once they are discovered? Oftentimes, developers do. The study says: “developers are faced with rising expectations for them to take a more substantially leading role when it comes to application security, but are lacking the necessary tools to do so.”
Some developers spend a large amount of time on remediations. 33% of respondents spent 12 to 36 hours a month on remediations.
Companies are also putting emphasis on security training for developers and invest in ensuring that developers are at the top of their security game. 36% of respondents say that their company provides security training in order to help them code better.
AppSec tools & open source
How do tools integrate into the workflow?
68% of developers reportedly use at least one of the following technologies: SAST, DAST, SCA, IAST, RASP.
According to the report, now 34% of developers implement automated Software Composition Analysis (SCA) tools for detecting open source components with known vulnerabilities. 28% of teams use a scan scanner for software review once or twice a year.
The most-used free security tools developers use:
- GitHub security alerts: 36%
- OWASP Dependency Check: 27%
- White Source Bolt: 23%
- Snyk: 17%
- DepShield: 7%
How do developers find the best open source tool and separate the best from the rest? The top parameters North American respondents check regarding open source security tools:
- Known vulnerabilities: 50%
- Open source license: 41%
- Feedback from colleagues and websites: 40%
- Version updates: 39%
- Active community: 32%