WhiteSource’s Analysis to Improve Relations Among Developers and Security Teams

A report from the insights released by WhiteSource on DevSecOps practices

TL;DR

WhiteSource provides a solution that allows developers to work more seamlessly with the security teams in ensuring that deployment rates are not affected while security is achieved.

Developers are working from less secure and controversially set up systems, and the hackers have less trouble infiltrating.
Developers are working from less secure and controversially set up systems, and the hackers have less trouble infiltrating.
Key Facts
  1. 1

    WhiteSource conflicts a survey focused on improving DevSecOps.

  2. 2

    The internal battle between deploying more products and focusing on security often push security to the back

  3. 3

    400% increase in cyber attacks reported by the United States Federal Bureau of Investigations.

  4. 4

    Adopting automation as a bridge between developers and security teams.

  5. 5

    Training developers in security matters would improve production speed.

Details

In a report released by the team at WhiteSource, the team revealed insights gathered from the survey they had conducted to improve DevSecOps. The relationship between the security team and the developer teams has been a strained one as their goals are often contradictory. The report showed that about 73% of security personnel and developers feel forced to compromise on security. The option of moving security to the domain of the developers is proving futile as developers pay less attention to this part of the production.

With the working from home option trending among most corporations due to the pandemic, the threat of increased security sabotage has been exemplified. Developers are working from less secure and controversially set up systems, and the hackers have less trouble infiltrating.

In most organizations, the need to deploy products is often heightened in the minds of the developers, where only 31% of organizations have a standardized prioritization process, 58% sometimes agree but follow separate practices and guidelines, and 11% rarely agree. The result of this shows that making sure these deployments are not a security threat comes second place, and it is often left to the security team. Even when security has been merged with Development and Operations - DevSecOps, most organizations' practices are not mature enough, as mature organizations use DAST, SCA, IAST, Containers, and RASP AppSec tools twice as much as immature organizations, thereby sacrificing security for speed.

One option would be to hire more security experts in the team, but there's a large deficit, such that Cyberseek's heat map reports that for every two roles that are filled, the need for an extra hand is opened. This leads to a deficit of 500,000 persons and a high rate of burnout among the current teams, and all but unavoidable security incidents.

The report also noted the developers' low adoption of AppSec tools and the more significant percentage of them purchase tools without using them. This is because the tools were not designed in ways that made it easier for developers to adopt. The developers also lacked knowledge of functioning AppSec tools used in their organizations. Still, most security teams adopt and use these tools in which SAST, DAST and IAST have a considerable usage gap between the two teams. On the other hand, 25% of the security teams were noted to adopt AppSec tools more for compliance and meets industry-specific regulations (HIPAA, PCI etc.) than to get the developers more involved in security.

A trend noticed with the survey was the lack of basic security training for developers, where nearly 60% of them stated that they have no secure coding training. In comparison, about 60% of security professionals have a running security program for about a year, and only 37% of developers are aware of a program running longer than a year. To better improve the state of DevSecOps, training developers in security practices and having an AppSec champion are to be considered. Developers trained in preventing security issues would avoid them, which would speed up production practices, but only 40% - 60% of organizations have an AppSec champion.

With choosing the right tools for DevSecOps, the better strategy would be for the team to pay more attention to solutions that can easily be integrated into development. The direct result of this would be a more seamless agile process between developers and security. Deadlines can also still be achieved without putting security at risk.


Get similar stories in your inbox weekly, for free

Is this news interesting? Share it with your followers

Latest stories


200 Million Certificates in 24 Hours

Let's Encrypt has been providing free Certificate Authority (CA) for websites in need of them …

Gatling VS K6

Gatling and K6 are performance load testing tools, and they are both open source, easy …

Red Hat Ansible Platform 1 vs 2; What’s the Difference?

Red Hat Ansible is a platform used by enterprises to manage, unify and execute infrastructure …

Domino Data Labs Raised $100 Million in the Latest Funding Round

Culled from the news released by Domino Data labs on funding and the company's progress …

New Release: The Microsoft Azure Purview Is Now Available on General Availability

News report detailing the announcement of the release of Azure purview on GA

Google Introduces Online Training Program to Improve Cloud Skills

Google addresses existing cloud personnel deficiency with training programs.