A GitLab study based on responses from over 4,000 software professionals shows a disconnect between developer and security teams, and suggests that good DevOps can be the solution to security problems.
Nearly 70% of developers say they are aware that they are expected to write secure code, but 49% of the security professionals (mostly represented by CIOs and CTOs) say it’s a struggle to get developers to make vulnerability remediation a priority, the survey shows.
Roughly half of security professionals say flaws are most often found by them after code is merged in a test environment, and 68% of them feel that less than half of developers are able to identify vulnerabilities later in the lifecycle, GitLab reported.
The security team of an organization with an established DevOps program is three times more likely to discover vulnerabilities before code is merged. Furthermore, they are 90% more likely to test 91-100% of code compared to an organization whose DevOps program is in early stages.
“Our research tells us that while most developers are aware of the dangers that vulnerabilities present and want to dramatically improve their security capabilities, they often still lack organizational support for prioritizing secure code creation, increasing secure coding skills, and implementing automated scanning and testing tooling to make that happen sooner rather than later,” said Colin Fletcher, manager of Market Research and Customer Insights at GitLab.
Interestingly, the study found that teams working mostly remotely are 23% more likely to have mature security practices compared to teams that mostly work from offices.
According to the survey, the most widely used application security methods are dependency scanning (56%), cloud security (42%), container security (41%), and static application security testing, or SAST (35%). However, 60% of respondents admitted that they only scan less than half of their code.
Respondents were asked to rate their security practices and only 20% said they were good. As for their DevOps practices, 34% said they were good and 13% said they were very good.
“The big takeaway from this survey is that early adopters of strong DevOps models experience greater security and find it easier to innovate, but barriers still prevent developers and security teams from achieving true DevSecOps,” said Sid Sijbrandij, CEO and co-founder of GitLab. “Teams need a single solution that can provide visibility into both sides of the process for streamlined deployment.”
Related: GitLab Launches Public Bug Bounty Program