In a recent Research Synopsys stated that 48% of organizations deliberately push vulnerable code in their application security programs due to time constraints. The survey has been published after a thorough investigation conducted on more than 400 U.S.-based developers who work at organizations where they currently have CI/CD tools in place.
The survey report named “Modern Application Development Security” examined to what extent threat security teams understand modern development and deployment practices, and where security controls are required to lower the risk.
Following the survey, 60% of respondents mentioned that their production applications were exploited by OWASP top-10 vulnerabilities in the past 12 months.
42% of developers push vulnerable code once per month.
The research stated that certain organizations knowingly push vulnerable codes without a thorough understanding of the security risks that they are taking. Employees think that it does not come into their bucket of responsibility to fix the code before the immense pressure.
29% of developers within their organization lack the knowledge to mitigate issues. Developers play a very important role in application security, but the report stated that they lack the skills and training. Nearly one-third (29%) of respondents express that developers within their organization lack the knowledge to mitigate issues identified by their current application security tools. Further, the report said that Developers fix only 32% of known vulnerabilities.
The researchers have also given solutions to fix the vulnerabilities efficiently. A third of vulnerabilities are noise. To reduce false-positive vulnerabilities, scans must have access to all of the required data so that security tools can accurately research whether vulnerability exists. Reducing security noise will allow developers to address security issues confidently and on time.
Following the research, Tromzo CTO Harshit Chitalia said, “These findings show that developers regularly ignore security issues, but can we really blame them? Security teams are bombarding them with an endless stream of issues that need to be addressed with no way for them to separate what’s actually critical from all the noise, all while they are expected to release software more frequently and faster than ever before…”
“…If we want developers to truly implement security, we must make it easy for them. This means integrating contextual and automated security checks into the SDLC so we can transition from security gates to security guardrails,” he further added,
