Most developers believe their enterprise has a mature security posture, but nearly half find it challenging to stay up to date with current security and compliance-related activities, Security Compass, an application security provider, said in a new study.
The Toronto, Canada-based company’s 2022 Developer Perspectives on Application Security survey was conducted in Q2 2022 and based on 250 respondents from the U.S. and U.K. markets working in companies ranging from $10 million to $10 billion in annual revenue.
What We Learn From the Security Compass Report
Key takeaways from the study include:
- The number one most important means to thwarting security threats according to developers is automated threat modeling; 46% claimed it was “mission critical” and another 36% indicated it was “quite important”.
- 42% of developers who have been assigned requirements related to security and compliance find it challenging to stay up to date with current security and compliance-related activities.
- 28% of respondents claim that scope creep in security compounds challenges, with another 19% believing that security processes take too much time.
- Overall, developers are in favor of security training, with 32% of developers opting to pursue training on their own; 63% of respondents reported being mandated to do training.
- Developers from smaller companies ($10M to $100M) were more than twice as likely (31% vs. 14%) as those from the largest companies ($5B+) to use ad hoc or reactive means to gate-keep releases from a security perspective.
- On average, 34% of software requirements are related in some way to security and compliance, yet only 25% of companies have shifted security left into the Design Stage of software development.
The Importance of Building Cyber-Secure Software
Rohit Sethi, Security Compass chief executive, explained that software developers need to infuse security into everything they do:
“When building secure software, developers must be system thinkers. Ideally, they engage secure methods early in the design process, engage with key security personnel and stakeholders and insist on automated cybersecurity tools that efficiently guide them throughout the SDLC. Software built with the needs of software developers at the forefront is essential to the task of cybersecurity, and companies that want to attract and support developers in their efforts to build cyber-resilient software need to look to integrated cybersecurity software.”