Listen to this article

Today’s software developers and engineeers are no longer only coding, but also increasingly being tasked to handle security testing of code. Even with vulnerabilities made known to the public within days, it would appear some businesses take weeks to months to handle such vulnerabilties. These and more are some of the recent findings of an important DevSecOps report by Synopsys Cybersecurity Research Center. Read more below.

SINGAPORESynopsys, Inc. (Nasdaq: SNPS) released its “Global State of DevSecOps 2023” report on software security strategies, tools, and practices. The Synopsys Cybersecurity Research Center‘s new report is based on a Censuswide survey of more than 1,000 IT professionals worldwide, including developers, appsec professionals, DevOps engineers, CISOs, technology, cybersecurity, and software development experts.

Over 80% of survey respondents said a serious software security issue affected their DevOps delivery schedule last year.

“While a vast majority [91%] of organisations have adopted some level of DevSecOps practices, they continue to face barriers effectively implementing its methods, especially at enterprise scale,” said Jason Schmitt, general manager, Synopsys Software Integrity Group. “Specifically, we’re noticing that organisations across the globe are struggling with integrating and prioritising the results from the multiple application security testing tools used by their teams. They also struggle to enforce security and compliance policies automatically through infrastructure-as-code, a practice that was cited most often by respondents as a key factor of their security program’s overall success.”

From the report, AI is used by most security professionals, and many are apprehensive of its risks. 52% of the respondents use AI to improve software security at their company, while 76% of the respondents are “very or somewhat concerned” about AI-based cybersecurity solutions’ errors or challenges.

With most vulnerability exploits happening within days, 28% of the respondents indicated their companies take up to three weeks to patch serious application security issues, while another 20% stated it can take up to a month.

At least two-thirds of the respondents found security tools and practices like dynamic application security testing (DAST), interactive application security testing (IAST), static application security testing (SAST), and software composition analysis (SCA), useful. The report finds SAST to be the most beneficial AST tool, with 72% saying so; followed by IAST (69%), SCA (68%), and DAST (67%).

The report found that security testing of business-critical apps and continuous improvement (CI) pipelines is equally common to be handled by software developers and engineers (45%) and internal security team members (46%). 33% of companies use external consultants to supplement internal teams.