Some 35 percent of developers receive no formalised training on secure coding practices and many organisations bolt security on to the end of the development lifecycle from a team in another silo.
Newly published research reveals that only half of continuous integration (CI) and continuous delivery (CD) workflows include application security testing elements despite respondents citing awareness of the importance and advantages of doing so.
The DevSecOps Realities and Opportunities study by 451 Research, commissioned by Synopsys, appears to suggest that many developers who are well aware of the importance of security in the DevOps process will proceed to ignore it anyway.
Analysing responses from some 350 enterprise decision-makers at large enterprises from a wide range of industry sectors, the study found that software composition analysis (SCA) that identifies open source software components affected by known vulnerabilities is understood to be the most critical application security element to incorporate into the development workflow. Somewhat surprisingly, then, it also discovered that almost 40 percent of organisations don’t use SCA (or claim not to have any open source components.) The latter being more surprising still, given that a Black Duck Software report on open source security and risk analysis suggested at least 95 percent of applications do.