Cybersecurity professionals may greet the news that a survey of more than 5,500 DevOps professionals (including roughly 700 application security professionals) finds 57% of those security respondents reporting that responsibility for security has either already or soon will shift left toward developers with mixed emotions.
Conducted by GitLab, a provider of continuous integration/continuous delivery (CI/CD) platform, the survey suggests that as more organizations embrace best DevSecOps practices, there is a greater willingness among developers to be held accountable for cybersecurity along with other aspects of managing applications on an end-to-end basis.
In general, that’s a good thing in the sense that there is a chronic shortage of cybersecurity professionals available. The more tasks handled by application development teams, the less pressure there should be on cybersecurity teams, especially if more issues are addressed before an application is deployed. In fact, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have published Securing the Software Supply Chain for Developers, a set of best practices for securing software supply chains based on the Enduring Security Framework (ESF) created via a public-private working group led by NSA and CISA.
However, the level of cybersecurity expertise that exists today among application developers is limited at best. Cybersecurity was an elective in most of the training and education programs that developers participated in so it should come as no surprise that few of them ever attended a cybersecurity class. As such, the expectation that developers are going to be able to improve the overall state of application security any time soon needs to be tempered by current realities.
What is happening slowly but surely is that more security capabilities are being built into the tools and platforms that developers employ to make it easier to automatically surface known vulnerabilities. One of the things that drive cybersecurity professionals to distraction is the same vulnerabilities keep finding their way into multiple applications. It’s almost as if no developer can remember any cybersecurity issue that arose in one project whenever they build their next application.
The good news is the situation is improving, but it may require a review of how cybersecurity is funded within most organizations. Cybersecurity teams will tend to allocate funds to platforms they directly control. If responsibility for application security is to truly shift left then funding for everything from tools to secure runtimes to platforms for securing application programming interfaces (APIs) will be required.
In the meantime, the onus like it or not is clearly on cybersecurity professionals to find a way to teach development teams what flaws to address because the same vulnerabilities keep showing up in multiple applications. Developers don’t typically set out to build an insecure application. It’s just that in the absence of any tools, processes, and training, the same mistakes will be made.
Cybersecurity professionals, of course, may have their doubts about the level of developer commitment to cybersecurity but ignoring the issue will only ensure the worst possible outcome.