In the dynamic world of software development, security challenges are advancing at a rapid pace. Black Duck’s 2024 “Global State of DevSecOps” report examines the evolving trends and concerns in application security, drawing insights from a survey of over 1,000 professionals across diverse industries and countries.
Key DevSecOps Security Priorities
The report identifies three primary security priorities for organizations:
- Data Sensitivity: Protecting sensitive data is the top concern, cited by 37% of respondents. This is particularly crucial in sectors like finance, healthcare, and government, where data breaches carry significant risks.
- Industry Best Practices: Following standards, such as those provided by OWASP, is essential for 36% of respondents. However, with rapid developments like AI-assisted code generation, adhering to these guidelines is increasingly challenging.
- Testing Automation: Automation, prioritized by 35%, is helping organizations streamline security testing processes, enabling security checks to integrate seamlessly into development workflows.
A Heightened Focus on Sensitive Data Protection
As security threats grow in complexity, protecting sensitive data remains a primary concern for entities handling critical information. The report highlights that 43% of applications in software development, 46% in finance, and 38% in government prioritize data sensitivity, underscoring the importance of encryption, secure data protocols, and thorough storage practices.
Emphasis on Best Practices and Open Source Compliance
The report indicates that 36% of organizations rely on third-party standards as a foundation for application security. However, open-source code, frequently used through snippets, introduces new risks. AI-generated code adds to these concerns by potentially introducing code with licensing conflicts. According to Black Duck’s 2024 OSSRA report, 53% of applications contain open-source code with license issues, underscoring the need for diligent oversight.
Automation’s Role in Security Testing
Automation is becoming a vital part of security solutions, with 35% of respondents prioritizing streamlined testing. Centralized security management provides benefits, such as reducing system complexity and enhancing coordination across development workflows.
However, 82% of organizations utilize six to 20 security tools, which often results in “noise”—false positives, duplicate alerts, and misidentified risks. This noise affects efficient resource allocation, with 60% of respondents reporting that 21-60% of their results are unreliable.
AI’s Impact on Software Development Security
The adoption of AI in software development is widespread, with over 90% of businesses leveraging AI tools. Yet, only 24% express high confidence in securing AI-generated code. Additionally, 27% of respondents allow AI use in development despite lacking robust security protocols. As organizations rapidly embrace AI, they face unique risks related to intellectual property and data privacy, prompting many to develop new policies for AI use.
Ongoing Struggle: Balancing Security with Development Speed
The report also highlights the persistent struggle to balance security with development speed. Eighty-six percent of respondents report that security testing slows down development, with 43% noting a moderate impact. Manual test queue management exacerbates these delays, and one-third of respondents relying exclusively on manual processes report significant slowdowns.
A Future Path for DevSecOps
The 2024 DevSecOps landscape reflects fast-paced AI adoption, an expanding tool ecosystem, and a drive to integrate security within development pipelines. However, organizations continue to grapple with security testing noise and the tension between security and speed.
Black Duck’s report suggests that successful firms will be those that simplify their toolsets, leverage automation, and encourage closer collaboration between security, development, and operations teams. As the industry evolves, a path to a more secure and efficient DevSecOps environment becomes clearer.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.