The benefits of implementing continuous security in the development lifecycle
Wabbi published new research with IDG that finds companies utilizing continuous security have decreased vulnerabilities by 50%.
The study focused on the integration of development and security, as well as the benefits of continuous security. Participants included IT and security leaders, software/application development managers and directors across industries and company sizes. The data explored priorities and trends around integrating security throughout the software development life cycle (SDLC). The key findings follow.
IT/security leaders recognize value of integrated security
With the variety and number of attacks increasing every day, it can seem an insurmountable task to build defenses that account for every potential risk. What’s more, success can be measured differently depending on each business’ priorities. However, the importance of security integration within the SDLC is clear: 98% of respondents place high importance on integrating security throughout the development lifecycle, yet only 15% report that security is always integrated from the beginning of the development lifecycle.
The lack of security integration within the SDLC has resulted in project delays (72%), financial loss (63%) and/or compromised brand reputation (57%). However, organizations understand that the benefits of integrating security go beyond reducing breaches: 70% of respondents actually cite increased productivity as the top benefit of security integration, with cost savings and reduced security breaches tied for second, each cited by 67% of respondents.
“To overcome the legacy disconnect between development and security, security must be integrated throughout the development lifecycle,” said Brittany Greenfield, CEO, Wabbi. “This report clearly shows that teams have overcome the cultural challenges in understanding the importance of integrating security, however there is still structural work to be done to implement a continuous security approach to deliver more secure code, fewer breaches, less economic loss, reduced delivery delays, and fewer business interruptions.”
Organizations embracing automation avoid bottlenecks
Current application security processes are creating bottlenecks for all respondents: 53% of respondents cited bottlenecks happening “to some extent,” while 47% reported the bottlenecks to a “great extent.” The top reason cited for the bottlenecks was poor collaboration between DevOps and security teams (72%), followed by difficulty in identifying the correct project and feature level security requirements due to complex documentation (71%), and lack of lack of security process orchestration as part of the SDLC/ CI/CD (68%).
Only 30% of respondents cited manual processes as a bottleneck in the development process, which showcases a divide between manual processes and all the things that result from them. While DevOps processes are typically highly automated, 55% report moderate or low automation of security processes. Further, at 61% of organizations, the feedback sharing process between development and security teams isn’t fully automated. Even so, most respondents (79%) report their security teams acknowledge and respond to feedback from development teams.
Implement continuous security to empower development teams
While just 31% of respondents have empowered development teams to own application security, these organizations are less likely to report their organizations have released applications with security vulnerabilities in the past year (50% versus 73% among others), and are more likely to be provided with security requirements and given opportunities for feedback in the planning stage of the SDLC (48% vs. 16% among others).
Additionally, respondents more often report feedback sharing processes between development and security teams are fully automated (49% vs. 25% among others). Furthermore, they are almost twice as likely to have already adopted a continuous security approach (17% vs. 9%),
Respondents cite empowerment of development teams (73%), enablement of real-time collaboration (72%), and reduced security risk (70%) as top potential benefits of continuous security strategy.
22% say they are piloting a continuous security strategy, with 46% planning to adopt one in the next year. Those that have fully adopted continuous security are able to leverage the integration, automation and feedback loops to ship fewer vulnerabilities. For those that aren’t quite there yet, it doesn’t have to be a complex implementation—as long as there is a process in place, organizations can implement continuous security to empower development teams, enable real-time collaboration, and reduce security risk.