Growing developer focus on software security

JFrog has released the findings of an IDC survey indicating developers are spending significantly more time and companies are spending$28K per developer yearly on security-related tasks such as manual application scan reviews, context switching, and secrets detection, among other items.

  • 1 month ago Posted in

The IDC InfoBrief, “The Hidden Cost of DevSecOps: A Developer’s Time Assessment,” sponsored by JFrog, showed 50% of senior developers, team leaders, product owners and development managers experienced a significant increase in the number of hours spent weekly on software security-related tasks, detracting from their ability to innovate, build, and deliver new business applications,

"Securing the software supply chain already poses significant challenges for organizations, but it becomes more complex when multiple tools are used, forcing developers to toggle between multiple environments, leading to inefficiencies, wasted time, and increased risk,” said Asaf Karas, CTO of JFrogSecurity. “IDC’s survey creates a compelling case for companies to invest in streamlined securityprocesses, tooling and training, to empower their developers to be more efficient and effective in protecting the software supply chain.”

Half of survey respondents said they spend an estimated 19% of their weekly hours on security-related tasks, oftentimes outside normal working hours, which could lead to a reactive approach to securityrather than a proactive one. Other key findings from the IDC survey include:

• Chasing Ghosts: Eliminating False Positives: Developers spend 3.5 hours on average manually reviewing security scanning findings because of false positives and duplicates.

• Context Matters: 69% of developers agree or strongly agree that their security-related responsibilities require them to frequently switch contexts between various tools, slowing efficiency. Multitool context switching can also increase token usage for bypassing reauthentication per platform. Tokens can be helpful in application development but can also be quickly forgotten and leave backdoors in companies’ systems for attacks.

• Secrets are No Fun: Developers devote 50% of their time to understanding and interpreting secrets scanning results, making changes to code to remediate findings, and updating secrets management measures.

• Infrastructure Investigation: Infrastructure-as-Code (IaC) – used to automate the provisioning and management of IT infrastructure, such as servers, networking, operating systems, and storage – must be scanned every time code changes, with more than 54% of developers saying they run IaC scans weekly or monthly.

• SAST Isn’t a Blast: Despite static application security testing (SAST) tools being integrated to local development environments to provide findings as developers code, only 23% of developers are running SAST scans before deploying code into production, leaving a huge gap for malicious code to slip through.

"DevSecOps is not just a business imperative; it is the cornerstone of building the secure applications of the future. However, a significant challenge lies in overcoming inefficient, poorly implemented tools that squander developers’ time and inflate costs,” said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. “To be successful, IT and software development team leaders must automate repetitive and time-consuming tasks, ensure DevSecOps tools deliver accuracy with minimal false positives, and provide ongoing access for developers to application security education and resources so they can keep pace with a rapidly increasing threat landscape."

On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
Humans may do a lot less of the testing themselves in the future, but they will still have to peer...
New research from Mendix finds that low-code tools are no longer simply a tactical solution for...
Global study of over 1,300 tech professionals uncovers opportunities for enhanced security training...
Global IT Business-to-Business (B2B) revenues, coming from data centers, IT services and devices,...
Confluent adds Table API support for Apache Flink® making it even easier for developers to use...
Although 85% of total respondents have integrated AI apps into tech stacks in the past year, most...
Redefining “impossible” legacy projects, 75% of software executives see up to a 50% reduction...