Security officers can spend more than five hours resolving security vulnerabilities that occurred during the application’s development cycle, Invicti says.
Security vulnerabilities have a bad habit of popping up during the software development process but only coming to light after an application has been deployed. The frustrating thing is, many of these security vulnerabilities could have been fixed ahead of time if the right methods and tools had been used to discover them.
A report released Tuesday by Invicti, a web application security company, looks at the time and resources spent tracking down vulnerabilities in developed applications.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
to compile his report”State of the DevSecOps Professional: at work and off the clockInvicti partnered with Wakefield Research to survey 500 cybersecurity professionals and software developers with at least director-level positions. The respondents were all from US companies with 2,000 or more employees.
About 41% of security professionals and 32% of developers surveyed said they spend more than five hours each workday fixing security vulnerabilities that shouldn’t have happened in the first place. Addressing these security concerns, especially amid the so-called Great Resignation and concerns about impending cyber attacks, can easily lead to overwork and stress for professionals.
About 81% of respondents said support tickets have a “magic power” to arrive at the very end of the day. A third of those surveyed said they had to cancel dates and nights out with friends due to safety concerns at work. In addition, half of them indicated that they had to log in for a weekend or in their spare time to solve a problem.
Despite the stress, many respondents pointed to certain positive aspects of their job.
About 65% of security professionals and developers said they think they saved their company at least $1 million in the past year by preventing breaches. A whopping 95% said digital transformation and the move to a remote workforce has made their work more valuable and rewarding. In addition, 49% of those surveyed said they are friends with their security or development counterparts, an improvement over last year’s findings.
Still, the frequent security vulnerabilities and issues that come to light are evidence of the need for improvement in the application development cycle.
“Security is everyone’s business these days, so a disconnect between security and development often causes unnecessary delays and manual work,” said Invicti chief product officer Sonali Shah.
“Organizations can alleviate stressful overtime and related issues for security and DevOps teams by ensuring that security is built into the software development lifecycle, or SDLC, and not an afterthought,” added Shah. “Application scanning needs to be automated, both during software development and once it’s in production. By using tools that provide fast scan times, accurate findings prioritized by contextualized risk, and integrations into development workflows, organizations can shift security left and right while delivering secure code.”
When it comes to software development, Shah says innovation and security don’t have to compete. Rather, they are inherently linked.
“If you have a good security strategy, DevOps teams are able to build security into application design architecture,” Shah says. “By building security into the SDLC and investing in tools that accurately automate everything to reduce manual work, organizations have more room for innovation and can eliminate friction between security and development.”