Two new reports find that developers are struggling to keep up with an endless flood of security issues, and that overall security is suffering as a result. 42% self-reported pushing vulnerable code at least once every month, and they are only able to get to 32% of known vulnerabilities.
Respondents were also asked what they consider to be the #1 challenge of their application security program, and the leading response was “developers not doing what the security team tells them to do.” Archie Agarwal, Founder and CEO at ThreatModeler, commented on the need for addressing vulnerable code to be an integrated effort given the current landscape: “Recent breaches further stress the fact that companies don’t have a firm grasp on the complexities of their own applications. With the continued move to more aggressive DevOps pipelines that include many different components such as source code, open-source packages, and APIs, it is extremely rare that one person or team understands the threat landscape of the entire application, system, or appliance. Organizations need to better understand how their systems work and what type of threats the architecture may be prone to. Threat modeling is the primary route to delivering a secure design. It is far more challenging and resource-intensive to re-engineer security after the fact than it is to weave it into the design and build from the start.”