As developers, security experts, and team leads we are constantly thinking about or asking how we can avoid the next big data breach?
Is the problem really larger than us? Or is this something we as development teams have the power to solve? We took this question to our community, and the result brought us back to our mission of working to empower developers to code more securely.
Every week in our [DevSec Friday Series], we like to ask attendees opinion questions about the security landscape to start meaningful conversations. This community is made up of hundreds of developers, CTO’s, security engineers, students, and other tech leads. These varying perspectives bring a lot of value to these discussions as we all challenge our assumptions and beliefs based on others’ backgrounds and experiences.
On May 15th, we asked our audience what they believed were the greatest drivers of the existing application security problem software teams face today:
- Lack of developer awareness
- Lack of executive awareness
- Lack of security talent
- Lack of appropriate tools
- Increased attack surface
Here is what our community said:
57% said lack of developer awareness, 41% lack of executive awareness, 31% lack of security talent, 12% lack of appropriate tools, and 38% believed the increased attack surface is a leading cause of the application security problem.
It became rather clear that the lack of developer awareness was believed to be one of the main reasons leading to security vulnerabilities and breaches among software applications. Of our audience, the number of developers and security folks are roughly even, and both groups voted developer awareness is a key issue.
Traditionally security engineers have been held responsible for ensuring software is secure as they are equipped with the knowledge and expertise needed. However, it was interesting to see the developers from our community also identify this as a key factor of the application security problem.
“Most of the programmers don’t have a secure architecture/design/coding background. Even in college classes, we are not taught secure practices while coding.” -Student
Our mission at reshift is to help software teams push security left by integrating security early on in the software development lifecycle. We understand developers often have a lack of security awareness and we are working to better equip them with the tools to help educate them while identifying and fixing vulnerabilities in their own code.
“There are no standards. So many vendors with “out of box” security, and most of the tools have good security but not enough training to teach the people to implement right” – Analytic Engineer
As software is being released more frequently and developers’ main goal is to continue to push new features, it’s critical that secure coding is a skill developers learn early on.
“I keep hearing “move fast” from startups and recruiters. I fear this mantra is a large reason the targets are so bountiful.” – Developer
Without having security integrated early on in the development lifecycle, it adds additional time and costs to remediate these vulnerabilities. Until developer awareness around security is solved, organizations will continue to have security gaps making an easier target for attackers to cause the next big breach.
Looking to learn and join the discussion? Join our community of security minded leaders every Friday at 12PM EST while we discuss relevant tools, security vulnerabilities, best practices, and hear from industry leaders. [Register here]
What do you think the greatest factor(s) of today’s application security problem is? Leave your thoughts in the comments below!