Organizations aspire to reach perfection and often look to emulate best practices of peer organizations to do so. When it comes to software development, global technology leaders like Google, Amazon, Uber, Apple, and others immediately come to mind as best-in-class practitioners. Seeking to understand what software development life cycle (SDLC) practices these technology leaders use, Contrast Security surveyed 100 developers from 50 of the world’s leading technology companies.
Hundreds of Applications in Development and Management
The commissioned study reveals what attitudes and practices around application security are embodied by modern software developers. The survey was conducted over email as well as through a call center during August 2020. Respondents were part of development teams that ranged from a couple thousand to over a hundred thousand. Nearly two-thirds of respondents indicate their organizations develop and manage over 800 applications—and over 63% are responsible for an excess of 250.
SDLC Can Make or Break a Technology Company
On some fronts, developers in technology companies are just like the remainder of developers across other industry segments. But in other ways, developers in technology firms are measured differently, and thus they must adhere to distinct development approaches. The speed at which the technology sector changes places digital transformation at the forefront. Behemoths in technology can quickly go from growth darlings to “has-beens”—or even nonexistence.
As a result, it isn’t surprising that the vast majority (85%) believe there are significant differences between technology companies and other industries. What precisely makes them unique is a different question. Nearly 3 in 10 developers in the survey believe their tools make them unique, whereas another 18% indicate it is the extraordinary nature of the team members themselves.
85% of developers believe there are significant differences between technology companies and other industries.
Developers Are Under Pressure for Faster Digital Acceleration
One recent study of CEOs found that almost 7 in 10 believe that nothing—including security—should be allowed to slow down development processes. And even though technology companies are achieving faster development and release cycles than other industries, developers in technology express that they remain under increased scrutiny to accelerate digital innovation.
Nearly 8 in 10 in our survey said they “strongly agree” or “agree” that they are under pressure to shorten release cycles and commit more code. Not every job title in the survey felt the same, with build engineers, QA engineers, and application security architects expressing the highest sense of pressure.
This response is a bit surprising considering the speed at which survey respondents indicate they are writing and releasing code. Fully 85% of them deploy code to production at least multiple days per week, with almost two-thirds doing so daily. To achieve this rate of code releases requires adoption of open-source frameworks and libraries, which survey respondents confirm: Two-thirds have adopted open source in at least 75% of their applications.
Despite writing and deploying code into production at dizzying rates (in most cases daily), almost 80% of developers say they are under pressure to tighten the reins even further.
Application Security Challenges Remain
While the survey report reveals a number of positives when it comes to the SDLC, it also exposes a list of application security challenges that remain to be solved for many modern software development teams. The number of application security tools used in general continue to proliferate, and almost three-quarters of the survey respondents said they have too many. In the majority of instances, survey respondents indicated that they are not integrated with their IDE and continuous integration/continuous deployment (CI/CD) pipeline processes and tools.
At the same time, the lack of integration creates substantial inefficiencies for developers. Nearly 8 in 10 say they spend too much time diagnosing and triaging security alerts (and more specifically false positives). These factors cascade into a cross-disciplinary efficiency drain. Six in 10 respondents indicate they spend too much time coordinating with their security counterparts on vulnerability remediation. Additionally, the larger the development team, the bigger the issue here: The number increases to almost 7 in 10 for teams managing over 800 applications.
Almost 80% of developers spend too much time diagnosing and triaging security alerts, and 60% spend too much time coordinating with their security counterparts.
As many legacy application security tools require specialized expertise, many development teams must hire hard-to-find and hard-to-retain application security staff to manage penetration testing, application scanning tools, and reconciliation of findings. With these specialists in high demand, it is not a surprise that almost three-quarters of survey respondents indicated they are unable to find and retain the staff needed in this area.
The adoption of Agile and DevOps practices is driving the use of more application programming interfaces (APIs) and new development tools. Yet, there remains significant concerns about the security of these. For example, one-third or more of survey respondents lack confidence in their API and CI/CD infrastructure security. Worse yet, only 30% of developers are confident in their container security.
On top of the above, application vulnerabilities remain a significant challenge. 85% of developers indicate the average application has more than 10 vulnerabilities, and almost half note they have more than 20. Just as troubling is the fact that it takes developers a long time to fix most vulnerabilities: Only 31% hit the median within 30 days (41% hit the 75% milestone in 90 days).
But There Is AppSec Good News, Too
Putting aside the challenges, there is reason to see the glass half full as well. The amount of code being written and the speed at which it is being released into production continue to accelerate. 85% of development teams now deploy code into production at least multiple times per week—and many do so even more frequently. Helping to accelerate this business transformation is adoption of open-source libraries and frameworks. Two-thirds of development teams use open source in more than three-quarters of their applications.
There is a bit of good news concerning security in the survey. MTTR and vulnerabilities were frequently cited as top evaluation areas by developers—an indication that security is a priority for developers in technology companies.
Modern software developers and their management also recognize that a broad and growing application attack surface makes application security more urgent today than ever before. When asked to stack rank (pick only the top four), survey respondents listed operational acceptance, mean time to remediate (MTTR) vulnerabilities, and application vulnerabilities found as the top three areas on which their performance is evaluated. And there is significant interest on their part to learn more: 77% express the desire to learn more about application security. If organizations follow through on this motivation for increased emphasis on application security, outcomes around application vulnerabilities and their remediation could improve in future surveys.
There is much to be excited about when it comes to digital transformation. Application security should not be an inhibitor, and the upside from our survey findings is that developers concur.
For these and other insights from modern software development teams, download a copy of our new report today—“Priorities and Challenges for Modern Software Developers: Survey Findings from Today’s Top-performing Technology Companies.”
Other Resources
Report: Priorities and Challenges for Modern Software Developers: Survey Findings from Today’s Top Performing Technology Companies
Podcast: Developers and Application Security Practices in the Technology Sector
Infographic: AppSec Insights from Modern Software Developers in the Technology Sector