Some new studies provide some evidence for a phenomenon that is probably commonly recognized in IT departments these days; overworked staff and failures in inter-department communication are leading to a lot of vulnerable code being shipped, with many issues being things that developers could have caught if not for some sort of preventable circumstance.
Common practice of siloing departments leads to missed alerts, vulnerable code
A report from Tromzo focuses in on the relationship between developers and security, who are often isolated from each other and prone to communication problems. More security alerts are being processed than ever, which necessarily means more false positives. Both groups feel overwhelmed and the product suffers.
A group of 400 developers surveyed said that they were only getting to 32% of vulnerabilities that they are notified of. Developers are almost never expected to get to anywhere near 100% of alerts, as there will inevitably be a good deal of false positives that can be screened out earlier in the process, but the survey findings suggest that the number of false positives is about the same. That leaves a considerable amount of legitimate alerts that are going unattended to.
42% of these developers also said that they push vulnerable code at least once per month. Security teams, in turn, express frustration at developers not following their advice. This is a particular problem given that a security-focused design from the ground up appears to be much more rare than returning to code after it is written to shore up security.
The study also suggests that overuse of scanning tools may be a problem. 62% of respondents said they are using at least 11 tools, but this group tended to not be much more confident in its security posture than those using only a few.
Company culture causing issues for developers
Another study from Secure Code Warrior focuses in on developer challenges. This study suggests vulnerable code is an outgrowth of company cultures tending to put a low priority on cybersecurity, even as digital crime has been spiking through the roof in recent years.
Only 14% of the 1,200 developers in this survey listed security as a top priority. This is in spite of 82% of those involved in hiring reporting that secure coding skills were a high priority in recruiting. Attitudes do seem to be shifting, but not as fast as the threat landscape is.
22% of developers said that code security is not considered part of their job, something to instead be handled by some other party after the code is written. Part of this is fed by company culture; 61% say code is considered secure so long as the libraries it draws from are considered safe, and 28% say it is treated as secure so long as vulnerable code does not produce any breaches within a few months of being used in the wild.
So what would improve the rate at which developers address vulnerable code? Those that were surveyed say that their primary issues are pressure from tight deadlines, lack of support from the company with a plan for securing code, and a lack of interest on the part of management.