News
Dev-Sec Convergence: New Research Details Progress and Setbacks on the Road to Secure Innovation
October 2021 by Wakefield Research & Invicti Security
The vast majority of organizations are increasing their investment in application security this year, but they continue to struggle to fully embrace secure innovation. A new market study released today by Invicti Security™, Application Security and the Innovation Imperative, examines how companies are contending with the strategic need to innovate and the existential risk posed by cyber threats.
Conducted in partnership with Wakefield Research, the report is based on a survey of 600 executives and hands-on-keyboard practitioners across security, development and DevOps spanning over 20 industries including manufacturing, technology, government, retail, and education.
The findings reveal both encouraging trends and continued challenges:
? Tight timelines and innovation pressures for those on the front lines mean skipped security steps. And, integration is still a work in progress: 70% of respondents “frequently” or “always” complete projects without carrying out all security steps. Additionally, integration into the software development life cycle (SDLC) is lacking, with only 20% reporting they have fully shifted left and another third in the “messy middle.” The repercussions of this are clear, with one in three issues under remediation making it to production without being caught in the dev or test stages.
? Dev and sec are collectively stressed out, but the animosity between the two groups has been exaggerated: An eye-popping 78% of dev and sec respondents suffered increased stress levels this year and 73% actually considered quitting their job because of this stress. Despite the well-known reputation for friction between the two groups, 76% feel they have a shared passion for security and work as one team that often collaborates to address security issues. This compares with only 17% who classified the relationship as “frenemies” and 7% “strangers.”
? Underpowered tools and manual processes impede efficiency, but practitioners know what it will take to address the problem. It would take a whopping two weeks per team member on average to address their organization’s current backlog of security issues — and that’s if they don’t work on anything else. Adding to this, 78% say they are forced to perform manual verification of vulnerabilities always or frequently. False positives no doubt play a role in this: 96% report they are problematic at their organization, and 39% say they increase friction between dev and sec. But these teams know what it will take to dig out of the mess: increased automation (60%) and more integrations (99%).
“The study reflects that while there is a growing recognition that security must be a core element of innovation, organizations continue to struggle to achieve that vision,” said Mark Ralls, President & COO of Invicti. “It’s on leaders to set the tone from the top-down and drive organizational culture shifts that increase emphasis on security and equip teams with the powerful tools and effective workflows they need to make secure innovation a reality.”
Delivering innovative AppSec solutions since 2005, Invicti has protected more than 800,000 websites for over 3,100 customers globally. For the first time, Invicti was included this year in the 2021 Gartner Magic Quadrant for Application Security Testing. The company has also recently been recognized by G2 as a Momentum Leader for its Acunetix and Netsparker products, won two Cyber Defense Global InfoSec Awards this year, and is also the recipient of a 2021 Globee Award for Cyber Security Global Excellence.
