One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2103327 |
| Date de publication | 2020-08-11 11:31:15 (vue: 2020-12-15 21:05:43) |
| Titre | New ESG Survey Report: Modern Application Development Security |
| Texte |  As organizations continue to adopt DevSecOps, a methodology that shifts security measures to the beginning of the software development lifecycle (SDLC), roles and processes are evolving. Developers are expected to take on increased security measures ??? such as application security (AppSec) scans, flaw remediation, and secure coding ??? and security professionals are expected to take on more of a security oversight role.
Developers are taking the necessary steps to adapt to their evolving role and embrace security measures, but they???re often at odds with their other priorities, like rapid deployments. Since developers and security professionals??? priorities are frequently misaligned, it can lead to organizational challenges and security gaps.
Veracode recently sponsored Enterprise Strategy Group???s (ESG) survey of 378 developers and security professionals in North America to better understand the dynamics between these teams and to understand their application security challenges and priorities.
The report highlights five key insights:
1. Most think their application security programs are solid, though many still push vulnerable code.
Respondents were asked to rate the efficacy of their organization???s AppSec program on a scale of zero to 10, zero being ???we continually have security issues,??? and 10 being ???we feel confident in the efficacy and efficiency of our program.??? Two-thirds of the organizations surveyed rated their programs as an eight or higher. And, better yet, two-thirds are using their AppSec scans on more than half their codebase.
Despite having a solid AppSec program and leveraging scans, 81 percent of organizations are still experiencing exploits. Why? The research revealed that 48 percent of organizations regularly release vulnerable code to production when they???re under a time crunch. By pushing vulnerable code to production, organizations are putting their applications at risk for a breach.
2. Multiple security testing tools are needed to secure the potpourri of application development and deployment models in use today.
There is no single AppSec testing type that is able to identify every vulnerability. Each testing type has its strengths and cautions. For example, if you only use static analysis, you won???t be able to uncover open source flaws, business logic flaws, or configuration errors. If you only use software composition analysis, you will only identify third-party flaws.
The findings showed that most organizations do employ a mix of testing types. However, there are some gaps. For example, only 38 percent of organizations use software composition analysis. Unless those organizations are using penetration testing, they are likely not testing for third-party vulnerabilities.
3. Developer security training is spotty, and programs to improve developer security skills are lacking.
The survey uncovered that 50 percent of organizations only provide developers with security training once a year or less. Not surprisingly, the survey also uncovered that developers??? top challenge is the ability to mitigate code issues. The only way for developers to improve their knowledge of code vulnerabilities is through security training or programs, like Veracode Security Labs, or AppSec solutions that give developers real-time security feedback as |
| Notes | |
| Envoyé | Oui |
| Condensat | 378 ability able about across adapt adopt also america amount analysis application applications appsec are asked away beginning being better between breach business but can cautions challenge challenges cloud code codebase coding composition confident configuration consolidate consolidating consolidation continually continue crunch currently deployment deployments despite developer developers development devsecops download dynamics each effectiveness efficacy efficiency eight embrace employ enterprise errors esg every evolving example expanding expected experiencing exploits feedback feel findings five flaw flaws focusing frequently from full future gaps give group half has have having higher highlights however ide identify improve increase increased insights: investing investment investments issue issues its key knowledge labs lacking lead less leveraging lifecycle like likely logic majority managing many measures methodology misaligned mitigate mix models modern more most much multiple necessary needed new north not odds often once only open organization organizational organizations other over oversight overwhelmed party penetration percent plan planning potpourri priorities processes production professionals program programs proliferation provide push pushing putting rapid rate rated read real recently regularly release remediation report report: research respondents rest result revealed risk role roles scale scan scans sdlc secure security shifts showed significantly since single skills software solid solutions some source spend spending sponsored spotty stated static steps strategy strengths such surprisingly survey surveyed take takes taking teams testing than these think third thirds those though through time today too tools top training two type types uncover uncovered under understand unless use used using veracode vulnerabilities vulnerability vulnerable way when which why will won year yet zero |
| Tags | Guideline |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.