Security staff members can spend upwards of five hours patching security vulnerabilities that occur during the application development cycle, Invicti says.
Security vulnerabilities have a bad habit of appearing during the software development process, only to surface after an application is deployed. The frustrating part is that many of these security flaws could have been fixed in advance if the proper methods and tools had been used to discover them.
A report released Tuesday by web application security firm Invicti examines the time and resources spent finding security vulnerabilities in developed applications.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
To compile its “State of the DevSecOps Professional: At Work and off the Clock” report, Invicti partnered with Wakefield Research to survey 500 cybersecurity professionals and software developers in at least director roles. Respondents were all from US companies with 2,000 or more employees.
Some 41% of security professionals and 32% of developers surveyed said they spend more than five hours a day fixing security issues that shouldn’t have happened in the first place. Having to tackle these security issues, especially amid the so-called Great Resignation and concern over impending cyberattacks, can easily lead to burnout and stress among professionals.
Some 81% of respondents said support tickets have “magic power” to arrive at the very end of the day. A third of those surveyed said they had to cancel dates and nights out with friends due to workplace safety concerns. Moreover, half of them revealed that they had to go online during a weekend or during their free time to solve an issue.
Despite the stress, many respondents highlighted some positive aspects of their work.
Some 65% of security professionals and developers said they believe they have saved their organization at least $1 million in the past year by preventing breaches. 95% of respondents said digital transformation and the shift to a remote workforce has made their jobs more valuable and rewarding. Additionally, 49% of respondents said they were friendly with their security or development counterparts, an improvement from last year’s results.
Yet the frequent vulnerabilities and security issues that crop up are proof of the need to improve the application development lifecycle.
“Security is now everyone’s business, and disconnects between security and development often lead to unnecessary delays and manual labor,” said Sonali Shah, product manager at Invicti.
“Organizations can alleviate stressful overwork and related issues for security and DevOps teams by ensuring security is built into the software development lifecycle, or SDLC, and not an afterthought,” Shah added. “Application security scanning should be automated both during software development and once it is in production. Using tools that deliver fast analysis times, accurate results prioritized by contextualized risks, and integrations into development workflows, organizations can move security left and right while efficiently delivering secure code. .
When it comes to software development, innovation and security don’t need to compete, according to Shah. On the contrary, they are intrinsically linked.
“When you have the right security strategy in place, DevOps teams are empowered to embed security into the very architecture of application design,” Shah said. “By building security into the SDLC and investing in tools that precisely automate everything to reduce manual work, organizations have more room for innovation and can eliminate friction between security and development.”