Software Security: The Buck (Now) Stops With Developers
In this ever-changing online world, software developers have "started playing a leading role in the day-to-day operational responsibility for application security ... as information security teams testing products before release become irrelevant," writes cyber security company, WhiteSource, after polling over 600 developers.
Of those polled, 71% stated ownership lies in the software development side, whether it is by the DevOps teams, development team leaders or the developers themselves, as fixing a security vulnerability in the software development process ... produces better-secured applications from the get-go.
Turning more ownership over to developers has been noticeable in smaller organisations, which often have more freedom to define new processes, while SMEs and larger businesses are gradually following suit. Placing developers in charge of security has seen a change in their mindset and most view security as a top priority while coding.
Previously, it was standard procedure to review software security before a release, with any issues referred back to developers. The trend now is that the build stage ranks highly - 30% - as a testing point, while even more - 36% - are integrating security testing tools before the build stage.
Companies are investing in testing tools, training, and time spent on handling security vulnerabilities. However, "the integration of automated application security testing tools is bombarding developers with security alerts, which developers are now required to research and remediate," with "42% reporting they spend between 2-12 hours a month on these tasks, while another 33% say that they spend 12-36 hours on them."
If you're 'bombarded with security alerts' and want to stay informed about vulnerabilities, subscribe to SecAlerts and receive a free weekly report of CVEs and security news relating to your stack.