Please enable JavaScript to view the comments powered by Disqus. How To Get Rid Of Thr Blame Game Of Security Responsibility?

 

 

 

 

How To Get Rid Of Thr Blame Game Of Security Responsibility?

NovelVista
NovelVista

Last updated 23/07/2021


How To Get Rid Of Thr Blame Game Of Security Responsibility?

In IT organizations, so many security breaches and bugs are spotted everyday. But, who is actually responsible to fix them? Do we know that?

GitLab’s 2020 Global DevSecOps Survey asked developers, security team members, operations pros and testers about sole responsibility for security in their organizations.

About 28% of developers, 33% of security groups, 21% of ops pros, and 23% of testers said obligation regarding security laid uniquely on their shoulders. Simultaneously, 29% of security groups said everybody was capable, close to the same number of as said they had sole proprietorship. 

Confounded at this point? So were a significant number of our overview respondents, who had a great deal to state about the liquid – and baffling – nature of DevSecOps. 

So these are some individual statements GitLab collected while finishing their survey:

“The team is trusted to do its own security research and implementation. We don’t know how good or bad we are.”

“I am the only one who actually cares about security in my organization.”

“I regularly put security suggestions in the box of suggestions, only to be ignored.’”

“There’s a security team, but it doesn’t involve face to face with us, the dev team. So we just run the dev process without counting on them.”

But why all these grudges? Shouldn’t they find a way to work together already? Let’s see from where it all started and what is the way out to put an end to this blame game.

The Blame Game

The story of developers and security pros not seeing eye to eye goes long back. In GitLab’s 2019 Developer Survey security pros were exceptionally expressive regarding the matter of developers essentially not doing what's needed to empower security. Designers were similarly troubled, referring to security's "heavy-handed approach"This year, we drilled down further to see if we could understand why dev and sec continue to see the world differently.

Contrasts between the groups immediately got obvious. As per the overview discoveries, 65% of security team members revealed that their organizations have moved security left. Be that as it may, the unseen details are the main problem, and the subtleties don't generally bolster a move left. 

A strong larger part of developers are not running SAST, DAST, or holder examines, and just about half direct consistency filters. Regardless of whether the sweeps are run, under 19% put SAST results into a pipeline report an engineer can get to. Dynamic application security testing (DAST) admissions surprisingly more terrible – under 14% of organizations gave developers access to those reports. 

In this way, developers don't have simple access to basic information. Then again, security experts are disappointed that developers keep on either miss bugs inside and out or discover them past the point of no return all the while. Over a portion of security respondents (61%) concurred at some level that vulnerabilities were for the most part found by security experts (not designers) after code is converged in a test situation (which is moderately late simultaneously). As such, when asked how engineers discover bugs versus security groups, 93% gave developers credit for finding just 25% or less of the bugs to be found in existing code, leaving 75% of the bugs for security to discover at a later stage simultaneously. 

What's more, as though that wasn't adequately disappointing, 69% of security team members whined it was hard to get developers to remediate bugs, regardless of whether their associations included security as a developer execution metric.

 

How DevSecOps Can Work

Contrasts between the groups immediately got obvious. As per the overview discoveries, 65% of security team members revealed that their organizations have moved security left. Be that as it may, the unseen details are the main problem, and the subtleties don't generally bolster a move left. 

A strong larger part of developers are not running SAST, DAST, or holder examines, and just about half direct consistency filters. Regardless of whether the sweeps are run, under 19% put SAST results into a pipeline report an engineer can get to. Dynamic application security testing (DAST) admissions surprisingly more terrible – under 14% of organizations gave developers access to those reports. 

In this way, developers don't have simple access to basic information. Then again, security experts are disappointed that developers keep on either miss bugs inside and out or discover them past the point of no return all the while. Over a portion of security respondents (61%) concurred at some level that vulnerabilities were for the most part found by security experts (not designers) after code is converged in a test situation (which is moderately late simultaneously). As such, when asked how engineers discover bugs versus security groups, 93% gave developers credit for finding just 25% or less of the bugs to be found in existing code, leaving 75% of the bugs for security to discover at a later stage simultaneously. 

What's more, as though that wasn't adequately disappointing, 69% of security team members whined it was hard to get developers to remediate bugs, regardless of whether their associations included security as a developer performance metric.

Topic Related Post
DevOps Trends in 2024: The Continued Rise of GitOps, Data Observability, and Security
Building a High-Performing SRE Team: Key Strategies and Best Practices
Securing the Pipeline: Integrating Security into Your SRE Practices

About Author

NovelVista Learning Solutions is a professionally managed training organization with specialization in certification courses. The core management team consists of highly qualified professionals with vast industry experience. NovelVista is an Accredited Training Organization (ATO) to conduct all levels of ITIL Courses. We also conduct training on DevOps, AWS Solution Architect associate, Prince2, MSP, CSM, Cloud Computing, Apache Hadoop, Six Sigma, ISO 20000/27000 & Agile Methodologies.

 
 
SUBMIT ENQUIRY

* Your personal details are for internal use only and will remain confidential.

 
 
 
 
 
 
Upcoming Events
ITIL-Logo-BL ITIL

Every Weekend

AWS-Logo-BL AWS

Every Weekend

Dev-Ops-Logo-BL DevOps

Every Weekend

Prince2-Logo-BL PRINCE2

Every Weekend

Topic Related
Take Simple Quiz and Get Discount Upto 50%
Popular Certifications
AWS Solution Architect Associates
SIAM Professional Training & Certification
ITIL® 4 Foundation Certification
DevOps Foundation By DOI
Certified DevOps Developer
PRINCE2® Foundation & Practitioner
ITIL® 4 Managing Professional Course
Certified DevOps Engineer
DevOps Practitioner + Agile Scrum Master
ISO Lead Auditor Combo Certification
Microsoft Azure Administrator AZ-104
Digital Transformation Officer
Certified Full Stack Data Scientist
Microsoft Azure DevOps Engineer
OCM Foundation
SRE Practitioner
Professional Scrum Product Owner II (PSPO II) Certification
Certified Associate in Project Management (CAPM)
Practitioner Certified In Business Analysis
Certified Blockchain Professional Program
Certified Cyber Security Foundation
Post Graduate Program in Project Management
Certified Data Science Professional
Certified PMO Professional
AWS Certified Cloud Practitioner (CLF-C01)
Certified Scrum Product Owners
Professional Scrum Product Owner-II
Professional Scrum Product Owner (PSPO) Training-I
GSDC Agile Scrum Master
ITIL® 4 Certification Scheme
Agile Project Management
FinOps Certified Practitioner certification
ITSM Foundation: ISO/IEC 20000:2011
Certified Design Thinking Professional
Certified Data Science Professional Certification
Generative AI Certification
Generative AI in Software Development
Generative AI in Business
Generative AI in Cybersecurity
Generative AI for HR and L&D
Generative AI in Finance and Banking
Generative AI in Marketing
Generative AI in Retail
Generative AI in Risk & Compliance
ISO 27001 Certification & Training in the Philippines
Generative AI in Project Management
Prompt Engineering Certification
Devsecops Practitioner Certification
AIOPS Foundation Certification
ISO 9001:2015 Lead Auditor Training and Certification
ITIL4 Specialist Monitor Support and Fulfil Certification
Generative AI webinar
Leadership Excellence Webinar
Certificate Of Global Leadership Excellence
ISO 27701 Lead Auditor Certification
Gen AI for Project Management Webinar
Certified Cloud Tester Foundation
HR Business Partner Certification
Chief Learning Officer Certification
Gen AI in Cybersecurity Webinar
Six Sigma Webinar
Gen AI Powered ITSM Webinar
PM Prince2 PMP Webinar
Certified Generative AI Expert
GCP Professional Cloud Architect
GitHub Copilot Training Program
Certified Service Desk Professional
Certified Generative AI in ITSM
Recruitment & Sourcing
ISO 42001 Lead Auditor