WhiteSource’s Analysis to Improve Relations Among Developers and Security Teams

In a report released by the team at WhiteSource, the team revealed insights gathered from the survey they had conducted to improve DevSecOps. The relationship between the security team and the developer teams has been a strained one as their goals are often contradictory. The report showed that about 73% of security personnel and developers feel forced to compromise on security. The option of moving security to the domain of the developers is proving futile as developers pay less attention to this part of the production.

With the working from home option trending among most corporations due to the pandemic, the threat of increased security sabotage has been exemplified. Developers are working from less secure and controversially set up systems, and the hackers have less trouble infiltrating.

In most organizations, the need to deploy products is often heightened in the minds of the developers, where only 31% of organizations have a standardized prioritization process, 58% sometimes agree but follow separate practices and guidelines, and 11% rarely agree. The result of this shows that making sure these deployments are not a security threat comes second place, and it is often left to the security team. Even when security has been merged with Development and Operations - DevSecOps, most organizations' practices are not mature enough, as mature organizations use DAST, SCA, IAST, Containers, and RASP AppSec tools twice as much as immature organizations, thereby sacrificing security for speed.

One option would be to hire more security experts in the team, but there's a large deficit, such that Cyberseek's heat map reports that for every two roles that are filled, the need for an extra hand is opened. This leads to a deficit of 500,000 persons and a high rate of burnout among the current teams, and all but unavoidable security incidents.

The report also noted the developers' low adoption of AppSec tools and the more significant percentage of them purchase tools without using them. This is because the tools were not designed in ways that made it easier for developers to adopt. The developers also lacked knowledge of functioning AppSec tools used in their organizations. Still, most security teams adopt and use these tools in which SAST, DAST and IAST have a considerable usage gap between the two teams. On the other hand, 25% of the security teams were noted to adopt AppSec tools more for compliance and meets industry-specific regulations (HIPAA, PCI etc.) than to get the developers more involved in security.

A trend noticed with the survey was the lack of basic security training for developers, where nearly 60% of them stated that they have no secure coding training. In comparison, about 60% of security professionals have a running security program for about a year, and only 37% of developers are aware of a program running longer than a year. To better improve the state of DevSecOps, training developers in security practices and having an AppSec champion are to be considered. Developers trained in preventing security issues would avoid them, which would speed up production practices, but only 40% - 60% of organizations have an AppSec champion.

With choosing the right tools for DevSecOps, the better strategy would be for the team to pay more attention to solutions that can easily be integrated into development. The direct result of this would be a more seamless agile process between developers and security. Deadlines can also still be achieved without putting security at risk.