Organizations aspire to succeed in perfection and sometimes look to emulate best practices of peer organizations to try to to so. When it involves software development, global technology leaders like Google, Amazon, Uber, Apple, et al. immediately come to mind as best-in-class practitioners. Seeking to know what software development life cycle (SDLC) practices these technology leaders use, Contrast Security surveyed 100 developers from 50 of the world’s leading technology companies.
Hundreds of Applications in Development and Management
The survey was conducted over email also as through a call centre during August 2020. Respondents were a part of development teams that ranged from a few thousand to over 100 thousand. Nearly two-thirds of respondents indicate their organizations develop and manage over 800 applications—and over 63% are liable for an more than 250.
SDLC Can Make or Break a Technology Company
On some fronts, developers in technology companies are a bit like the rest of developers across other industry segments. But in other ways, developers in technology firms are measured differently, and thus they need to adhere to distinct development approaches.
As a result, it isn’t surprising that the overwhelming majority (85%) believe there are significant differences between technology companies and other industries. What precisely makes them unique may be a different question. Nearly 3 in 10 developers within the survey believe their tools make them unique, whereas another 18% indicate it’s the extraordinary nature of the team members themselves.
85% of developers believe there are significant differences between technology companies and other industries.
Developers Are struggling for Faster Digital Acceleration
One recent study of CEOs found that nearly 7 in 10 believe that nothing—including security—should be allowed to hamper development processes. And albeit technology companies are achieving faster development and release cycles than other industries, developers in technology express that they continue to be under increased scrutiny to accelerate digital innovation.
Nearly 8 in 10 in our survey said they “strongly agree” or “agree” that they’re struggling to shorten release cycles and commit more code. Not every job title within the survey felt an equivalent , with build engineers, QA engineers, and application security architects expressing the very best sense of pressure.
This response may be a bit surprising considering the speed at which survey respondents indicate they’re writing and releasing code. Fully 85% of them deploy code to production a minimum of multiple days per week, with almost two-thirds doing so daily. to realize this rate of code releases requires adoption of open-source frameworks and libraries, which survey respondents confirm: Two-thirds have adopted open source in a minimum of 75% of their applications.
Despite writing and deploying code into production at dizzying rates (in most cases daily), almost 80% of developers say they’re struggling to tighten the reins even further.
Application Security Challenges Remain
While the survey report reveals variety of positives when it involves the SDLC, it also exposes an inventory of application security challenges that remain to be solved for several modern software development teams. the amount of application security tools utilized in general still proliferate, and almost three-quarters of the survey respondents said they need too many. within the majority of instances, survey respondents indicated that they’re not integrated with their IDE and continuous integration/continuous deployment (CI/CD) pipeline processes and tools.
At an equivalent time, the shortage of integration creates substantial inefficiencies for developers. Nearly 8 in 10 say they spend an excessive amount of time diagnosing and triaging security alerts (and more specifically false positives). These factors cascade into a cross-disciplinary efficiency drain. Six in 10 respondents indicate they spend an excessive amount of time coordinating with their security counterparts on vulnerability remediation. Additionally, the larger the event team, the larger the difficulty here: the amount increases to almost 7 in 10 for teams managing over 800 applications.
Almost 80% of developers spend an excessive amount of time diagnosing and triaging security alerts, and 60% spend an excessive amount of time coordinating with their security counterparts.
As many legacy application security tools require specialized expertise, many development teams must hire hard-to-find and hard-to-retain application staff to manage penetration testing, application scanning tools, and reconciliation of findings. With these specialists in high demand, it’s not a surprise that nearly three-quarters of survey respondents indicated they’re unable to seek out and retain the staff needed during this area.
Yet, there remains significant concerns about the safety of those . for instance , one-third or more of survey respondents lack confidence in their API and CI/CD infrastructure security.
On top of the above, application vulnerabilities remain a big challenge. 85% of developers indicate the typical application has quite 10 vulnerabilities, and almost minim they need quite 20. even as troubling is that the incontrovertible fact that it takes developers an extended time to repair most vulnerabilities: Only 31% hit the median within 30 days (41% hit the 75% milestone in 90 days).
But there’s AppSec excellent news , Too
Putting aside the challenges, there’s reason to ascertain the glass half full also . the quantity of code being written and therefore the speed at which it’s being released into production still accelerate. 85% of development teams now deploy code into production a minimum of multiple times per week—and many do so even more frequently. Helping to accelerate this business transformation is adoption of open-source libraries and frameworks. .
There is a touch of excellent news concerning security within the survey. MTTR and vulnerabilities were frequently cited as top evaluation areas by developers.