ZeroNorth, the only company to unite security, DevOps and the business through application security automation and orchestration, and Ponemon Institute announced today the results of new research exploring the cultural divide between application security (AppSec) and development teams. According to the study, 75% of AppSec practitioners and 49% of developers believe there is a cultural divide between their respective teams.
As digital transformation takes hold, it is increasingly vital that AppSec teams and developers work well together. With DevOps methodology seeing more adoption, teams are delivering software at continually higher velocities. Speed is the culture of DevOps, which often runs counter to the culture of Security – risk adverse and rigid. The research, conducted by Ponemon Institute, surveyed 581 security practitioners and 549 developers on the cultural divide, its implications, the impact of COVID-19 and teleworking on the divide, and how to bridge the divide.
The findings of the research highlight both the software delivery and security impacts resulting from the cultural divide across AppSec and developer teams. For example, more than half of developers (56 percent) say AppSec stifles innovation. On the other hand, 65% of AppSec professional believe developers do not care about securing applications early in the software development lifecycle.
Importantly, too, for AppSec and developers to share a culture centered on delivering secure applications, there must be a shared understanding of risk. The teams are not aligned on this front, however. Only 35% of Developers say application risk is increasing; 60% of AppSec professionals believe this to be true.
“As this survey shows, the cultural divide is here today, and will become more exacerbated as organizations move towards DevOps, rendering the traditional, centralized model for security obsolete,” said ZeroNorth CEO, John Worrall. “We believe this opens the doors for CISOs to become a pillar that supports the bridge between AppSec and development cultures. By enabling a culture that empowers both development and security to execute on their priorities, CISOs can transform the cultures that stifle innovation while significantly improving security.”
“This important research reveals the serious impact the AppSec and Developer cultural divide can have on an organization’s security posture,” said Larry Ponemon, chairman and founder, Ponemon Institute. “Based on the research findings, we recommend organizations take the following five steps to help bridge the cultural divide: (1) ensure sufficient resources are allocated to ensure applications are secured in the development and production phase of the SDLC, (2) apply application security practices consistently across the enterprise, (3) ensure developers have the knowledge and skill to address critical vulnerabilities in the application development and production life cycle, (4) conduct testing throughout the application development and (5) ensure testing methods scale efficiently from a few to many applications.”
Among the key findings of the report:
Understanding the cultural divide and its implications:
- Developer and AppSec practitioners don’t agree on which function is responsible for the security of applications. 39% of developers say the security team is responsible, while 67% of AppSec practitioners say their teams are responsible.
- AppSec and developer respondents admit working together is challenging, with AppSec respondents saying it is because the developers publish code with known vulnerabilities. Developers say security does not understand the pressure of meeting their deadlines and security stifles their ability to innovate.
- Digital transformation is putting pressure on organizations to develop applications at increasing speeds, which puts security at risk. 65% of developer respondents say they feel the pressure to develop applications faster than before the digital transformation, and 50% of AppSec respondents agree.
- 71% of AppSec respondents say the state of security is undermined by developers who don’t care about the need to secure applications early in the SDLC and 69% say developers do not have visibility into the overall state of application security.
The impact of COVID-19 and teleworking on the cultural divide:
- 66% of developers and 72% of AppSec respondents say teleworking is stressful. Only 29% of developers and 38% of AppSec respondents are very confident that teleworkers are complying with organizational security and privacy requirements.
- 74% of AppSec and 47% of developer respondents say their organizations were highly effective at stopping security compromises before COVID-19. After the pandemic started, only one-third of both respondents say their effectiveness is high.
To download a copy of the Revealing the Cultural Divide between Application Security and Developers research report, visit: https://go.zeronorth.io/PonemonZNReport. On Thursday, October 1 at 1pm EDT, you can also join a webinar with Dr. Larry Ponemon, ZeroNorth CEO John Worrall and Christian van den Branden, SVP of Engineering at ZeroNorth as they offer their unique perspectives on the research results, as well as discuss the five steps Ponemon Institute recommends organizations take to help bridge this critical cultural divide. Register here: https://go.zeronorth.io/PonemonZNWebinar
ZeroNorth brings security, DevOps and the business together to improve application security performance and reduce organizational risk. The company’s application security automation and orchestration platform unites enterprises to rapidly identify, prioritize and remove the vulnerabilities standing in the way of software excellence. In an age where the security of applications needs to be everyone’s responsibility, ZeroNorth is where organizations come together for the good of software.
About Ponemon Institute
Ponemon Institute was founded in 2002 by Dr. Larry Ponemon and Susan Jayson. The Institute is dedicated to independent research and education that advances the responsible use of information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the security of information assets and the IT infrastructure.