In the past, IT security in the application building process has often been addressed as an after-thought, usually brought up at the last minute, just after the desired application and code were created.
Since 2014, however, that frequent pattern has been changing as more security emphasis is apparently being brought into application development earlier in its creation, according to a recent DevSecOps study on enterprise security practices, released by Sonatype.
The report, the 2017 DevSecOps Community Survey, found that in 2014, the last time the study was conducted, only 5 percent of the respondents said that application security analysis was done in the initial design/architecture phase of projects, compared to 13 percent by 2017. At the development stage, the figures increased to 20 percent in 2014 and 34 percent in 2017, while in the Q/A testing phase the figures rose to 21 percent in 2014 and 49 percent in 2017. Prior to release into production, application security analysis was conducted 24 percent of the time in 2014 and 45 percent of the time in 2017, while in production it was done 29 percent of the time in 2014 and 42 percent of the time in 2017. Another 15 percent said such analysis was done throughout the process in 2014, with 27 percent reporting the same practices in 2017. The figures were even higher in each category for companies that use mature DevOps practices in 2017, according to the study.
"The biggest thing that the study showed us is that security as a practice is evolving more," Derek Weeks, a vice president and DevOps Advocate at Sonatype, told ITPro. "Security has traditionally been more of a central focus of its own, apart from everything else in the past. But we have seen over the last few years more organizations adopting security much earlier in their software development lifecycles, as they are trying to bake security into applications so when they go into production they are more secure from the beginning."
The 2017 survey numbers, which are based on online responses from 2,292 IT professionals around the world (including 1,759 who answered the survey in its entirety) found that for mature IT organizations, the implementation of automated security practices across development increased two- to three-fold in the period, said Weeks. The study included 37 questions about security and development and was conducted between Feb. 1 and Feb. 28, 2017. It was the fourth such survey conducted by Sonatype since 2011, focusing on application development and security practices, which is also known as DevSecOps.
The responses show that "not only are automated practices coming more into play but they are coming into play earlier and everywhere across the development cycle," said Weeks. "DevOps organizations are saying if they are going to get really good at security they have to work on it earlier and during development."
The old procedures, which included building applications and then submitting them to the security team at the last minute, is losing favor, he added. The problem with that approach was that developers were already working on their next projects, leaving security concerns to be a nag, he said.
"What development teams have really figured out is that if they can talk about secure coding practices as they are building applications … someone can say that logging framework that has a vulnerability" and resolve it before it goes further," said Weeks. "If you empower the developers with that information early in the software development lifecycle, they can fix it immediately."
More companies are finding that this approach is much better than hearing a month later that the application has problems and needs to be fixed. "Now we have some empirical evidence that actually shows this is happening," said Weeks.
The 2017 Sonatype survey also reported that 50 percent of the developers responded that they know security is important but that they often don't have enough time to spend on it due to their busy workloads.
Twenty percent of the 2017 respondents said they suspect or had verified a security breach related to open source components in the last year, compared to 14 percent who suspected or verified such a breach in the 2014 survey.
Some 67 percent of the 2017 respondents described their business IT DevOps practices as very mature or improving in maturity. Some 47 percent of traditional development and operations teams see DevOps security teams and policies slowing them down, while only 28 percent of mature DevOps teams believe they are being slowed by security requirements.