Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Security Teams Often Struggle to Get Developers on Board: GitLab Study

A GitLab study based on responses from over 4,000 software professionals shows a disconnect between developer and security teams, and suggests that good DevOps can be the solution to security problems.

A GitLab study based on responses from over 4,000 software professionals shows a disconnect between developer and security teams, and suggests that good DevOps can be the solution to security problems.

Nearly 70% of developers say they are aware that they are expected to write secure code, but 49% of the security professionals (mostly represented by CIOs and CTOs) say it’s a struggle to get developers to make vulnerability remediation a priority, the survey shows.

Roughly half of security professionals say flaws are most often found by them after code is merged in a test environment, and 68% of them feel that less than half of developers are able to identify vulnerabilities later in the lifecycle, GitLab reported.

The security team of an organization with an established DevOps program is three times more likely to discover vulnerabilities before code is merged. Furthermore, they are 90% more likely to test 91-100% of code compared to an organization whose DevOps program is in early stages.

“Our research tells us that while most developers are aware of the dangers that vulnerabilities present and want to dramatically improve their security capabilities, they often still lack organizational support for prioritizing secure code creation, increasing secure coding skills, and implementing automated scanning and testing tooling to make that happen sooner rather than later,” said Colin Fletcher, manager of Market Research and Customer Insights at GitLab.

Interestingly, the study found that teams working mostly remotely are 23% more likely to have mature security practices compared to teams that mostly work from offices.

According to the survey, the most widely used application security methods are dependency scanning (56%), cloud security (42%), container security (41%), and static application security testing, or SAST (35%). However, 60% of respondents admitted that they only scan less than half of their code.

Percentage of code tested based on GitLab survey

Respondents were asked to rate their security practices and only 20% said they were good. As for their DevOps practices, 34% said they were good and 13% said they were very good.

Advertisement. Scroll to continue reading.

“The big takeaway from this survey is that early adopters of strong DevOps models experience greater security and find it easier to innovate, but barriers still prevent developers and security teams from achieving true DevSecOps,” said Sid Sijbrandij, CEO and co-founder of GitLab. “Teams need a single solution that can provide visibility into both sides of the process for streamlined deployment.”

Related: GitLab Launches Public Bug Bounty Program

Related: GitLab Patches Domain Hijacking Vulnerability

Related: Hundreds of Git Repositories Held for Ransom

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...