SlideShare a Scribd company logo

Lisa Conference 2014: DevOps and AppSec - Who is Responsible

Download as PPTX, PDF
S
SeniorStoryteller

The document summarizes the results of a survey about application security and the responsibilities of developers. It finds that while developers feel personally responsible for security, many lack clear security policies and processes from their organizations to enforce standards. It also finds that security testing is often not automated and occurs late in the development cycle, and that testing of open source components, which make up a large portion of applications, is lacking. The survey suggests organizations need to define security policies and processes and integrate security testing earlier to help developers prioritize security.

Technology
1 of 26
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Developers and Application Security: Who is Responsible? SURVEY RESULTS, November 2014 Mark Miller, Senior Storyteller
Mark Miller
Survey Sponsors
41% Q5 - In what industry does your business operate? 20% 17% 10% 6% Technology / ISV Consulting / SI Financial Services & Insurance Media / Entertain Public Sector Telecommunications Consumer Goods / Retail Other 14% 10% 6%
Operations 25% Security 16% Other 3% DevOps 30% Development 26% Q1 – What is your role within your current organization?
Senior Management 8% Executive Management 6% Practitioner 46% Manager 40% Q3 – What is your responsibility level?
13% Q9 - Percentage of open source software? 40% 14% 15% 15% 0% open source 20% open source 40% open source 60% open source 80% open source 100% open source 5% 67% >5000 employees 50% in FSI 41% in Consulting 31% in Government 27% in Tech 44% for Java developers {What people estimate they are doing
13% Q9 - Percentage of open source software? 14% 15% 15% 0% open source 20% open source 40% open source 60% open source 80% open source 100% open source 5% 67% >5000 employees 50% in FSI 41% in Consulting 31% in Govt 27% in Tech 44% for Java developers {What people estimate they are doing What app scans reveal 40%
57% Q10 - For custom development, what languages are used? 31% 30% 25% 21% Java PHP .NET Ruby C/C++ 83% with > 5000 employees FSI: 82.5% Banking/Finance: 88% Government: 74%{
Q11 - Who is the primary driver behind AppSec initiatives? 40% say dev (Q14) 76% say dev spends less than 15% time on AppSec (Q15) 42% say dev knows its important but does not have time to spend on it {40%
Q11 - Who primarily drives AppSec initiatives? (filtered for developers only) 67% devs think they are the primary driver; (Q15) 26% say security is not their focus, 40% say they have no time to spend on it; (Q17) 74% state we have no policies or policies are not effectively enforced Observations: 84% w/ >5000 employees think it’s compliance / risk management {67%
Q12 – Your role in AppSec? (1=not at all, 10 = highest priority) w/ >5000 employees, 75% rank security 8+ priority (Q17 – 58% of >5000 employees feel there is no clear security policy or that policy is not effectively enforced; 18% we don’t have clear policies 81% state Adherence to internal security policies is a top concern Conclusion: strong personal sense of responsibility, but little to not policies to enforce security standards; people make up their own standards w/ 101 – 1000 employees, 76% rank security 8+ priority Q17 – 67% employees feel there is no clear security policy or that policy is not effectively enforced. Q13 - 74% state adherence to internal security policies is a top concern Conclusion: “App Sec is important to me but we lack corporate policies so I’ll determine my own.”
Q13 - Are any of these security concerns? 65.03% {#2 overall issue but only 31% test it #1 issue for government
Q14 - How much time to developers spend on security?
Q15 - Interest of in-house developers in regard to AppSec 41% in FSI know its important but don’t spend time 42% in tech {
Q16 - When does App Dev spend time with security group? Observations: 23% say security checks happen, but (Q17) Only 12% have automated End of development cycle - 62% in government (#1 answer), 47% in financial services Historically, ‘end of development cycle’ is the most expensive option
Q17 - Describe your current app security policies (Overall) Observations: 67.05% do not have clear, well defined, enforced policies 12.5% have well defined, automated policies
Q17 - Describe your current app security policies (filtered for government) 59% policies not enforced compared to: 40% in FSI 28% in Tech{ 24% don’t have policies in place compared to: 20% in FSI 30% in Tech{Automated late in Development18% Automated across SW lifecycle12%
Q17 - Describe your current app security policies (Developers only) 42% Do not have clear policies Observations: “I am responsible, but I have: • No tools • No policy • No time 9% Automation across lifecycle 7% Automation late in development cycle
Q20 - If doing CI, how often is code compiled? Observations: If there is continuous integration, the percentage of automated testing increases 40% automate security testing here.
Q23 - Where is security testing automated? Lower Cost Highest Cost High Cost Lower Cost
Q18 - What are you testing? Observations: 80%+ of app composition is open source 30% of companies test open source • 37% tech • 20% in FSI • 29% in government
Summary
Get the deck right now, within seconds Community@Sonatype.com
Survey Sponsors
Developers and Application Security: Who is Responsible? SURVEY RESULTS, November 2014 Mark Miller, Senior Storyteller

More Related Content

PDF
The Hidden Risk of Component Based Software Development
Sonatype
 
PDF
Sonatype's 2013 OSS Software Survey
Sonatype
 
PPTX
Live 2014 Survey Results: Open Source Development and Application Security Su...
Sonatype
 
PPTX
ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry...
ARC Advisory Group
 
PPTX
Survey: Security Analytics and Intelligence
SolarWinds
 
PDF
Meet the Experts
Experts Exchange
 
PDF
Meet our Community- Experts Exchange at a Glance
Jaime Sterling Lewis
 
PPTX
Medgate: How Communication Builds Safety Culture
The Windsdor Consulting Group, Inc.
 
The Hidden Risk of Component Based Software Development
Sonatype
 
Sonatype's 2013 OSS Software Survey
Sonatype
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Sonatype
 
ARC's Bob Mick's Cyber Security Standards Presentation at ARC's 2008 Industry...
ARC Advisory Group
 
Survey: Security Analytics and Intelligence
SolarWinds
 
Meet the Experts
Experts Exchange
 
Meet our Community- Experts Exchange at a Glance
Jaime Sterling Lewis
 
Medgate: How Communication Builds Safety Culture
The Windsdor Consulting Group, Inc.
 

What's hot (20)

PDF
Managing budgets in the public sector survey - Current challenges and future ...
Advanced Business Solutions
 
PDF
InsightsEd - Global EdTech Snapshot - July 2015
Indalytics Advisors
 
PPTX
New Synopsys research uncovers security's biggest challenges
Synopsys Software Integrity Group
 
PDF
Infographic 2014 smart_grid_cybersecurity_survey_smart_modular_technologies_z...
Massimiliano Mandolini
 
PPTX
Survey: IT is Everywhere (End Users’ Perspective, Germany)
SolarWinds
 
PDF
Safety and leadership_impact_its_a_numbers_game
Rebecca Sue (nee Marlow)
 
PDF
The IT community's take on Artificial Intelligence
Pulse Q&A
 
PPTX
Survey: IT is Everywhere (End Users’ Perspective, North America)
SolarWinds
 
PDF
Webinar: Systems Failures Fuel Security-Focused Design Practices
Synopsys Software Integrity Group
 
PPTX
Horizon Scan 2016 - Canada
Andrew Scott
 
PPTX
Survey: IT is Everywhere (End Users’ Perspective, Singapore)
SolarWinds
 
PDF
Connected Research for Sunday Business Post March 2014
Amarach Research
 
PPTX
Survey: IT is Everywhere (End Users’ Perspective, Hong Kong)
SolarWinds
 
PPTX
Survey: IT is Everywhere (End Users’ Perspective, UK)
SolarWinds
 
PDF
2008 North Bridge Future of Open Source Study
North Bridge
 
PPTX
2015 Strategic Directions: Smart Utility Report
Black & Veatch
 
PDF
2017 Software Developer Productivity Survey in the United States and Great Br...
GitPrime
 
PPTX
Survey: IT is Everywhere (End Users’ Perspective, Australia)
SolarWinds
 
PDF
Abuse Prevention App PPT (Engr. Madeeha Saeed]
Madeeha Saeed
 
PDF
Pandemic Predictions: Comfort Crushers
SatisFactsEducation
 
Managing budgets in the public sector survey - Current challenges and future ...
Advanced Business Solutions
 
InsightsEd - Global EdTech Snapshot - July 2015
Indalytics Advisors
 
New Synopsys research uncovers security's biggest challenges
Synopsys Software Integrity Group
 
Infographic 2014 smart_grid_cybersecurity_survey_smart_modular_technologies_z...
Massimiliano Mandolini
 
Survey: IT is Everywhere (End Users’ Perspective, Germany)
SolarWinds
 
Safety and leadership_impact_its_a_numbers_game
Rebecca Sue (nee Marlow)
 
The IT community's take on Artificial Intelligence
Pulse Q&A
 
Survey: IT is Everywhere (End Users’ Perspective, North America)
SolarWinds
 
Webinar: Systems Failures Fuel Security-Focused Design Practices
Synopsys Software Integrity Group
 
Horizon Scan 2016 - Canada
Andrew Scott
 
Survey: IT is Everywhere (End Users’ Perspective, Singapore)
SolarWinds
 
Connected Research for Sunday Business Post March 2014
Amarach Research
 
Survey: IT is Everywhere (End Users’ Perspective, Hong Kong)
SolarWinds
 
Survey: IT is Everywhere (End Users’ Perspective, UK)
SolarWinds
 
2008 North Bridge Future of Open Source Study
North Bridge
 
2015 Strategic Directions: Smart Utility Report
Black & Veatch
 
2017 Software Developer Productivity Survey in the United States and Great Br...
GitPrime
 
Survey: IT is Everywhere (End Users’ Perspective, Australia)
SolarWinds
 
Abuse Prevention App PPT (Engr. Madeeha Saeed]
Madeeha Saeed
 
Pandemic Predictions: Comfort Crushers
SatisFactsEducation
 
Ad

Viewers also liked (7)

ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
PDF
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
dev2ops
 
PPSX
Agile AppSec DevOps
Robert Grupe, CSSLP CISSP PE PMP
 
PPTX
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
PDF
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon
 
PDF
Master Continuous Delivery with CloudBees Jenkins Platform
dcjuengst
 
PDF
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
dev2ops
 
Agile AppSec DevOps
Robert Grupe, CSSLP CISSP PE PMP
 
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon
 
Master Continuous Delivery with CloudBees Jenkins Platform
dcjuengst
 
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
Ad

Similar to Lisa Conference 2014: DevOps and AppSec - Who is Responsible (20)

PDF
Cybersecurity Quarterly Benchmarks Q1 2022
Gartner Peer Insights
 
PPTX
Survey: Application Use & Challenges in Government IT Infrastructures
SolarWinds
 
PDF
State of observability 2023 - story on the what
shonkoop
 
PPTX
SolarWinds Federal Cybersecurity Survey
SolarWinds
 
PDF
Cloud Management in the U.S. Federal Government
scoopnewsgroup
 
PPTX
AFCEA Cybersecurity through Continuous Monitoring: SolarWinds Survey Results ...
SolarWinds
 
DOCX
SANS 2013 Critical Security Controls Survey Moving From A.docx
anhlodge
 
PDF
The State of Remote Work Q4 2021
Gartner Peer Insights
 
PDF
CAPP Conference Survey
CynergisTek, Inc.
 
DOCX
Please read the instructions and source that provided, then decide.docx
LeilaniPoolsy
 
PPTX
Cybersecurity Operations: Examining the State of the SOC
Fidelis Cybersecurity
 
PPTX
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
PDF
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
PPTX
Preparing for the Future of Enterprise Mobility -- Insights Not to Miss
Enterprise Mobile
 
PPTX
Best Practices for a Mature Application Security Program Webinar - February 2016
Security Innovation
 
PDF
Arkadin Unified Communications Report: The Missing 'U' in UC
The Cloud Communications division of NTT Ltd.
 
PPTX
Automation in Public Sector IT Systems
SolarWinds
 
PDF
SANS 2013 Critical Security Controls Survey
Edgar Alejandro Villegas
 
PDF
NEW_Security Priorities 2021_Sample Slides.pdf
IDG
 
PPTX
Idge dell reignite2014 qp #2
jmariani14
 
Cybersecurity Quarterly Benchmarks Q1 2022
Gartner Peer Insights
 
Survey: Application Use & Challenges in Government IT Infrastructures
SolarWinds
 
State of observability 2023 - story on the what
shonkoop
 
SolarWinds Federal Cybersecurity Survey
SolarWinds
 
Cloud Management in the U.S. Federal Government
scoopnewsgroup
 
AFCEA Cybersecurity through Continuous Monitoring: SolarWinds Survey Results ...
SolarWinds
 
SANS 2013 Critical Security Controls Survey Moving From A.docx
anhlodge
 
The State of Remote Work Q4 2021
Gartner Peer Insights
 
CAPP Conference Survey
CynergisTek, Inc.
 
Please read the instructions and source that provided, then decide.docx
LeilaniPoolsy
 
Cybersecurity Operations: Examining the State of the SOC
Fidelis Cybersecurity
 
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
Preparing for the Future of Enterprise Mobility -- Insights Not to Miss
Enterprise Mobile
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Security Innovation
 
Arkadin Unified Communications Report: The Missing 'U' in UC
The Cloud Communications division of NTT Ltd.
 
Automation in Public Sector IT Systems
SolarWinds
 
SANS 2013 Critical Security Controls Survey
Edgar Alejandro Villegas
 
NEW_Security Priorities 2021_Sample Slides.pdf
IDG
 
Idge dell reignite2014 qp #2
jmariani14
 

More from SeniorStoryteller (20)

PPTX
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
PPTX
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
SeniorStoryteller
 
PDF
Implementing DevOps in a Regulated Environment - DJ Schleen
SeniorStoryteller
 
PPTX
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
SeniorStoryteller
 
PPTX
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
PDF
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
SeniorStoryteller
 
PDF
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
SeniorStoryteller
 
PDF
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
SeniorStoryteller
 
PDF
Ops Happens: DevOps Beyond Deployment - Damon Edwards
SeniorStoryteller
 
PDF
Building Security In - A Tale of Two Stories - Laksh Raghavan
SeniorStoryteller
 
PDF
Breaking Bad Equilibruim - John Willis
SeniorStoryteller
 
PDF
DevSecOps - Building Rugged Software
SeniorStoryteller
 
PPTX
NuGet Package Management Done Right
SeniorStoryteller
 
PPTX
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
SeniorStoryteller
 
PPTX
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
PPTX
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
PPTX
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
SeniorStoryteller
 
PDF
Heroes’ Journey: Learning from Successful DevOps Transformations
SeniorStoryteller
 
PPTX
Rugged DevOps: Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
PPTX
Create Rugged Applications: Managing Your Software Supply Chain
SeniorStoryteller
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
SeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
SeniorStoryteller
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
SeniorStoryteller
 
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
SeniorStoryteller
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
SeniorStoryteller
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
SeniorStoryteller
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
SeniorStoryteller
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
SeniorStoryteller
 
Breaking Bad Equilibruim - John Willis
SeniorStoryteller
 
DevSecOps - Building Rugged Software
SeniorStoryteller
 
NuGet Package Management Done Right
SeniorStoryteller
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
SeniorStoryteller
 
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
SeniorStoryteller
 
Heroes’ Journey: Learning from Successful DevOps Transformations
SeniorStoryteller
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
Create Rugged Applications: Managing Your Software Supply Chain
SeniorStoryteller
 

Recently uploaded (20)

PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Teaching material agriculture food technology
LiaRayya
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation theory and applications.pdf
gurumoop
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Cloud computing and distributed systems.
kkkkkhan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Approach and Philosophy of On baking technology
30anthuong17
 

Lisa Conference 2014: DevOps and AppSec - Who is Responsible

  • 1. Developers and Application Security: Who is Responsible? SURVEY RESULTS, November 2014 Mark Miller, Senior Storyteller
  • 4. 41% Q5 - In what industry does your business operate? 20% 17% 10% 6% Technology / ISV Consulting / SI Financial Services & Insurance Media / Entertain Public Sector Telecommunications Consumer Goods / Retail Other 14% 10% 6%
  • 7. 13% Q9 - Percentage of open source software? 40% 14% 15% 15% 0% open source 20% open source 40% open source 60% open source 80% open source 100% open source 5% 67% >5000 employees 50% in FSI 41% in Consulting 31% in Government 27% in Tech 44% for Java developers {What people estimate they are doing
  • 8. 13% Q9 - Percentage of open source software? 14% 15% 15% 0% open source 20% open source 40% open source 60% open source 80% open source 100% open source 5% 67% >5000 employees 50% in FSI 41% in Consulting 31% in Govt 27% in Tech 44% for Java developers {What people estimate they are doing What app scans reveal 40%
  • 9. 57% Q10 - For custom development, what languages are used? 31% 30% 25% 21% Java PHP .NET Ruby C/C++ 83% with > 5000 employees FSI: 82.5% Banking/Finance: 88% Government: 74%{
  • 10. Q11 - Who is the primary driver behind AppSec initiatives? 40% say dev (Q14) 76% say dev spends less than 15% time on AppSec (Q15) 42% say dev knows its important but does not have time to spend on it {40%
  • 11. Q11 - Who primarily drives AppSec initiatives? (filtered for developers only) 67% devs think they are the primary driver; (Q15) 26% say security is not their focus, 40% say they have no time to spend on it; (Q17) 74% state we have no policies or policies are not effectively enforced Observations: 84% w/ >5000 employees think it’s compliance / risk management {67%
  • 12. Q12 – Your role in AppSec? (1=not at all, 10 = highest priority) w/ >5000 employees, 75% rank security 8+ priority (Q17 – 58% of >5000 employees feel there is no clear security policy or that policy is not effectively enforced; 18% we don’t have clear policies 81% state Adherence to internal security policies is a top concern Conclusion: strong personal sense of responsibility, but little to not policies to enforce security standards; people make up their own standards w/ 101 – 1000 employees, 76% rank security 8+ priority Q17 – 67% employees feel there is no clear security policy or that policy is not effectively enforced. Q13 - 74% state adherence to internal security policies is a top concern Conclusion: “App Sec is important to me but we lack corporate policies so I’ll determine my own.”
  • 13. Q13 - Are any of these security concerns? 65.03% {#2 overall issue but only 31% test it #1 issue for government
  • 14. Q14 - How much time to developers spend on security?
  • 15. Q15 - Interest of in-house developers in regard to AppSec 41% in FSI know its important but don’t spend time 42% in tech {
  • 16. Q16 - When does App Dev spend time with security group? Observations: 23% say security checks happen, but (Q17) Only 12% have automated End of development cycle - 62% in government (#1 answer), 47% in financial services Historically, ‘end of development cycle’ is the most expensive option
  • 17. Q17 - Describe your current app security policies (Overall) Observations: 67.05% do not have clear, well defined, enforced policies 12.5% have well defined, automated policies
  • 18. Q17 - Describe your current app security policies (filtered for government) 59% policies not enforced compared to: 40% in FSI 28% in Tech{ 24% don’t have policies in place compared to: 20% in FSI 30% in Tech{Automated late in Development18% Automated across SW lifecycle12%
  • 19. Q17 - Describe your current app security policies (Developers only) 42% Do not have clear policies Observations: “I am responsible, but I have: • No tools • No policy • No time 9% Automation across lifecycle 7% Automation late in development cycle
  • 20. Q20 - If doing CI, how often is code compiled? Observations: If there is continuous integration, the percentage of automated testing increases 40% automate security testing here.
  • 21. Q23 - Where is security testing automated? Lower Cost Highest Cost High Cost Lower Cost
  • 22. Q18 - What are you testing? Observations: 80%+ of app composition is open source 30% of companies test open source • 37% tech • 20% in FSI • 29% in government
  • 24. Get the deck right now, within seconds Community@Sonatype.com
  • 26. Developers and Application Security: Who is Responsible? SURVEY RESULTS, November 2014 Mark Miller, Senior Storyteller

Editor's Notes

  • #2: Mark Miller, Senior Storyteller TheNEXUS Community Project http://www.sonatype.org/nexus/
  • #27: Mark Miller, Senior Storyteller TheNEXUS Community Project http://www.sonatype.org/nexus/