Software developers fix only 32% of vulnerabilities and regularly publish vulnerable code. This is reported in the latest report
Tromzo, a company that provides tools for secure development.
The Tromzo study involved more than four hundred developers in the United States working in companies that use CI/CD tools.
“As the study shows, developers regularly ignore security issues, but can you blame them? Security teams bombard them with an endless stream of problems that need to be fixed, but there is no way to isolate truly critical problems from the general flow. At the same time, they should release software more often and faster than ever,” said Harshit Chitalia, technical director of Tromzo.
According to the expert, if companies want developers to implement security, it is necessary to reduce the pressure on them. To do this, you need to integrate contextual and automated security verification with the software development lifecycle (SDLC).
According to the report, 42% of developers publish vulnerable code once a month. If a developer releases vulnerable code deliberately, it means that he believes that fixing vulnerabilities is not his responsibility, or other primary tasks that the company sets for him push security into the background.
Developers fix only 32% of known vulnerabilities. Considering the number of false–positive security notifications they receive daily, 32% is a very good result, if the developers, of course, manage to understand what exactly needs fixing. Unfortunately, without security training and experience, developers cannot distinguish real problems from false positives.
A third of all vulnerabilities are nothing more than noise. To reduce false-positive vulnerabilities, it is necessary to provide scanners with access to all the required information assets so that they can accurately determine whether there is a vulnerability or not. Noise reduction will allow developers to cope with vulnerabilities more confidently.
33% of developers believe that development and security are two different things. When the development and security teams work separately, security flaws and gaps appear throughout the SDLC. This leads to vulnerabilities and poor user experience.