A DevOps survey revealed that many developers have yet to take responsibility for the security of the code they produce.
According to Checkmarx’s report, “Managing Software Exposure: Time to Fully Embed Security into Your Application Lifecycle,” 93 percent of respondents said it’s either highly desirable or desirable that developers take responsibility for the security of the code they produce. But many developers aren’t living up to this ownership. Just 51 percent of respondents reported that their developers shoulder this duty. Forty-one percent of participants revealed this issue is addressed quite poorly or not at all at their organization.
Feeding this challenge could be a lack of training among developers on how to produce secure code. Nearly all (96 percent) respondents emphasized the importance of this training. But less than half said it’s being appropriately addressed at their workplace. Meanwhile, 49 percent of participants asserted that this training is not receiving the focus it deserves.
For its report, Checkmarx surveyed 183 individuals who hold IT, security and software development titles at organizations worldwide. Their responses help illustrate some of the challenges involved with injecting security into the DevOps cycle.
One of the obstacles uncovered in the study is the fact that software security is still overlooked by many boards. More than half (57 percent) of respondents said that software security now warrants a boardroom-level discussion. But 45 percent said it’s hard to get executives’ buy-in for this issue.
Another challenge revealed in the report is that developers and operations personnel are still struggling to make a cohesive DevOps culture. Seventy-two percent of survey participants said as much when they admitted that different teams within IT are still reluctant to trust one another.
It’s important that organizations consider all these issues of merging DevOps with security going forward. But Checkmarx has a recommendation for what should be a priority:
The reality is that in order to prevent potential software exposure throughout the software development lifecycle, we must first tackle the issue of ownership and responsibility, bringing together employees of diverse skill levels and backgrounds to help inspire more mutual trust and respect.