Half of firms deploy weak apps due to time pressure

Photo by Kevin Ku

Nearly half (48%) of cybersecurity professionals surveyed in North America consciously push vulnerable code to production due to time pressures, according to a study conducted by Enterprise Strategy Group (ESG) for Synopsys.

ESG surveyed 378 qualified cybersecurity professionals who work at organisations in multiple industry verticals including manufacturing, financial services, construction/engineering, and business services, among others throughout the United States and Canada.

The study also identifies that integrations complementing high velocity application development are most important, according to 43% of respondents, to improving application security programs. 

“Of the organisations consciously pushing vulnerable code into production, 45% do so because the vulnerabilities identified were discovered too late in the cycle to resolve them in time,” said Patrick Carey, director of product marketing for the Synopsys Software Integrity Group.

“This reaffirms the importance of shifting security left in the development process, enabling development teams with ongoing training as well as tooling solutions that complement their current processes so that they may code securely without negatively impacting their velocity,” said Carey.

The survey shows that most firms believe their application security program is effective, though many still push vulnerable applications into production, with 69% of respondents rating the efficacy of their current program as an 8 or higher on a scale of 0 to 10, with 10 being the most effective.

However, as nearly half of organisations consciously push vulnerable code on a regular basis, most have experienced production application exploits involving OWASP Top 10 vulnerabilities in the past 12 months. 

DevOps integration is a critical element for improvement as more than one-quarter of respondents say that their current application security tools add friction and slow down development cycles, while 23% identify poor integration with development/DevOps tools as a common challenge.

Additionally, 26% of respondents note a difficulty with or lack of integration between different application security vendor tools as a common application security challenge.

Developers play an important role in application security, but they lack the skills and training. Three in every 10 (29%) respondents say that developers within their organisation lack the knowledge to mitigate issues identified by their current application security tools.

Also, firms are planning to increase application security spending. More than half (51%) of respondents report plans for significant increases in application security spending over the next 12 months.