August 19, 20200 mins read
“Shift left” has become the holy grail for security teams today but organizations are still struggling to successfully implement some of the key application security processes that shifting security left entails.
A new study on application security trends in 2020 sponsored by Snyk and conducted by Enterprise Strategy Group (ESG) has found that while developers are indeed being given more responsibility for testing their applications for security issues, they simply don’t have the knowledge or right set of tools to do so.
Key application security trends that continue to require attention
The latest ESG report highlights a number application security trends:
Developers still struggle to mitigate issues: 29% of respondents claimed that their development teams simply lack the knowledge to mitigate issues identified
Existing tools hindering development: 26% of respondents felt that their existing testing tools added friction and slowed down development cycles.
Poor adoption of existing tools by developers: 24% complained that their developers were simply not effectively utilizing the testing tools they have invested
Lacking integrations challenging organizations: 23% stated that their tools simply don’t integrate well with development and DevOps tools
Developer security training has a long way to go: Only 15% say that all their developers are participating in formal security training
Developers struggling with their application security testing tools
The best “shift left” solution or tool is not going to be very effective if the developers meant to use it are not adopting it.
Almost a quarter of the respondents (24%) felt that their developers were simply not effectively utilizing the application security testing tools they have invested in. The reason for this critical adoption failures can be found in other challenges pointed out by respondents - 26% felt that their existing testing tools simply added friction and actually result in slowing down development, whereas 23% stated that their tools simply don’t integrate well with development and DevOps tools.
Developers are expected to find, prioritize, and fix security issues, but require a developer-friendly tool that enables them to do so. Without this, any shift-left motion is bound to fail.
For more on helping developers prioritize the security backlog, read this inspiring blog by Snyk’s founder, Guy Podjarny.
Security teams need to evolve developer empowerment
Of course, providing developers with developer-friendly tooling is only one part of the story. As the report highlights, developers are also increasingly responsible for pushing code into production and as such require guidance and training by the security teams. Are they actually receiving this support?
One of the worrying findings in the report is that developers are not being trained properly. Yes, most organizations require their developers to undergo some amount of AppSec training, but 35% of the respondents in the survey claimed that less than half of their development teams actually participate in formal training. Only 15% say that all their developers are participating.
This echos much of the advice in O’Reilly’s book on Securing Open Source Libraries. Check out this summary and a link to a free copy of the book.
Getting “shift left” right
In today’s world, where most companies are leveraging their technology and software to differentiate themselves in their respective markets and remain competitive, the pace of development has never been more important.
Traditional security processes cannot support this fast-paced innovation. Security gates placed at the different stages of the delivery pipeline slowdown development and ultimately get ignored. The notions of DevSecOps and shifting security left through the early stages of development and into the hands of developers were born as a result of this challenge and have since become de-facto best practices.
But to successfully shift left, it’s not enough to simply hand developers a list of issues to remediate or provide them with a tool that was designed for the security team. Developers need developer-friendly tooling and the ongoing support of the security team along the way.
This is exactly what Snyk is all about.