Developer-first Security sucks! Why is it essential to automate product security?
Let’s start with some facts to understand why it sucks!
On one hand:
- Cybercrime went up 600% due to the COVID-19 Pandemic
- Data breaches and cyber attacks in 2021 were 5.1 billion breached records, this is 11% more than in 2020
- 79% of companies have experienced at least one cloud data breach in the past 18 months
- Software supply chain attacks jumped over 300% in 2021
- It is estimated that worldwide, cyber crimes will cost $10.5 trillion annually by 2025.
(Data from Purplesec, IT Governance, VentureBeat)
On the other hand:
- 70% of development teams always or frequently skip security steps due to time pressures when completing projects
- Almost 60% of devs are releasing code 2x faster, thanks to DevOps.
- In 2021, only 20% of organizations have fully integrated security into the development
- Security has low priority. 67% of developers surveyed by Secure Code Warrior admitted that they routinely left known vulnerabilities and exploits in their code
- Github expects the number of software developers using its platform (56 million in 2020), to grow to 100 million developers in 2025
(Invicti Security, Gitlab, GitHub, VentureBeat)
Security vs Developers
Security teams focus on planning secure IT environments, but developers are asked to focus on productivity while they are also tasked with implementing these security plans. The main issue is that developers are often left out of security planning processes, creating a strained relationship between these two teams.
It is important to build a healthy relationship where trust, communication, and collaboration are key to moving toward the organization’s north star. But traditional security teams sometimes see themselves as inspectors of the developer's work. And that attitude needs to change - “when you’re a hammer, everything is a nail”.
Did you know that in “Gartner's Top Strategic Technology Trends for 2022: Cybersecurity Mesh”, the word "developer" is not included not even once? We were shocked about it; developers need to have a leading role in cybersecurity!
It’s “Shift Left Security” time!
With shift left security we mean moving security sooner in the development process. Teams should provide developers with the right tools to do their job securely; this is why it is essential to automate product security.
But most of the new security solutions are focused on selling to the CISOs and their security teams, maybe because they are the ones with the budget for “security”; but what about developers? Most of their new solutions are oriented toward productivity, which makes sense since we live in an agile world, but what if there were new developer-first security solutions? Well, it is about time; a recent survey from Forrester shows that last year 27% of organizations had their development teams holding the budget for application security tools and that number has increased to 37% this year.
Developer-first security Tools
While some security tools for developers have started to appear, it is still early days. The ecosystem needs solutions to automate security for developers and most importantly, that is reliable. Our hypothesis is that the most important products will come from the open-source community; they have a genuine interest in supporting and empowering developers.
We are consolidating a list of reliable open source developer-first security tools for security, if you know of a project we should consider, or if you would like to have access to this list, please send me an email or/and help us spread the word! 🙌