An Alarming Number of Software Teams Are Missing Cybersecurity Expertise

  /     /     /  
Publicated : 23/11/2024   Category : security


An Alarming Number of Software Teams Are Missing Cybersecurity Expertise


The overwhelming majority of developers worry about security and consider it important, yet many lack a dedicated cybersecurity leader.



Despite concerns over software security, many companies have not assigned a cybersecurity leader to help secure their applications — a problem that will only worsen as demand for technical security experts deepens worldwide.
In data published on Nov. 21, software security firm WhiteHat Security found that three-quarters of developers are worried about the security of their applications, and about seven out of eight consider security to be an important development consideration, but only half of these teams have a dedicated cybersecurity expert. The Developer Security Sentiment Study, which produced the data, found that about 49% of development teams lack a dedicated cybersecurity leader and 43% prioritize deadlines over secure coding.
While developers concerns about securing their code are on an upward trajectory, its clear the industry has a long way to go, said Joseph Feiman, chief strategy officer for WhiteHat Security, in a statement. Developers are on the front lines when it comes to protecting their organizations from cyberattacks, and they need the right tools and training to handle this burden.
Holes in software security reflect the impact of companies shift toward more agile programming methodologies. In the past, most IT dollars were spent by the actual IT organizations, and while thats still true, the budget of non-IT groups, such as DevOps, are growing, says Greg Young, vice president of cybersecurity at security firm Trend Micro. 
In 2020, businesses will be either a have or a have-not when it comes to security, he says.
AppSec, cloud security, and securing DevOps are very doable, but they take new models, not just new tools, Young says. The haves will manage AppSec well, such as building security into DevOps by providing container and workload security automatically and managing cloud security postures even when they are in cloud spaces the company didnt know they owned. The have-nots will continue to try and force DevOps into older security models, rather than adapting themselves, and miss out on innovation opportunities while getting hacked.
Adding to the pressures on companies and their ability to incorporate security into their development and operations is the general shortage of knowledgeable cybersecurity workers. Organizations that integrate security into their development life cycles generally have better security outcomes, but the shortage in workers means they have to pay a high price to do so, says Anthony Bettini, chief technology officer for WhiteHat Security.
Companies that are able to pay for experienced AppSec people do, he says. Companies whose budgets do not permit this either assign the role to someone internally or hire more junior folks from outside. The best approach likely depends on the organization based on their budget and time scale for the outcomes they desire to achieve.
Unsurprisingly, more than half of security professionals — 52% — have burned out at their job,
according to the WhiteHat report
.
Companies also have to worry about newer threats that affect software development, such as locking down their application programming interfaces (APIs) from abuse and security threats. More than a quarter of companies have detected reconnaissance attempts on their API servers, which make data and services available to Web and mobile applications, according to a survey of 100 attendees conducted by CloudVector at the Cyber Security and Cloud Expo. Another 16% do not know whether they have been attacked.
The reality is likely [that the number of attacks is] much higher given that most organizations lack the capability to detect these threats, said Ravi Balupari, vice president of engineering and threat research at CloudVector, 
in a blog post
. The lack of visibility into API payloads is a major blind spot.
Developing in-house expertise in these cybersecurity threats does not seem to be a priority either. Only 30% of developers have received some sort of security certifications in their current or previous jobs, according to the WhiteHat survey. 
There is good news, however. The vast majority of development teams — 82% — said they scan their software at least monthly, the survey found.
Related Content
A Security-First Approach to DevOps
White-Hat Bug Bounty Programs Draw Inspiration from the Old West
Why Hackers Are in Such High Demand, and How Theyre Affecting Business Culture
DevSecOps: The Answer to the Cloud Security Skills Gap
AppSec Spaghetti on the Wall Tool Strategy Undermining Security
Check out The Edge, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Home Safe: 20 Cybersecurity Tips for Your Remote Workers
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
An Alarming Number of Software Teams Are Missing Cybersecurity Expertise