New Report Finds Developers Remediate Only 32 of Vulnerabilities and Regularly Push Vulnerable Code
Tromzo, a developer-first application security management platform, has released the findings from its new Voice of the Modern Developer Report. The report was based on a survey of more than 400 U.S.-based developers who work at organizations where they currently have CI/CD tools in place. “These findings show that developers regularly ignore security issues, but can we really blame them?” said Tromzo CTO and co-founder Harshit Chitalia. ”Security teams are bombarding them with an endless stream of issues that need to be addressed with no way for them to separate what’s actually critical from all the noise, all while they are expected to release software more frequently and faster than ever before. If we want developers to truly implement security, we must make it easy for them. This means integrating contextual and automated security checks into the SDLC so we can transition from security gates to security guardrails.” Key Findings:
42% of developers push vulnerable code once per month. When a developer knowingly publishes code they believe to be vulnerable, it is clear that they think it is not their responsibility to fix the code before it is pushed or other organizational pressures deprioritize security.
Developers fix only 32% of known vulnerabilities. Given the volume of false-positive alerts that teams deal with today, fixing 32% of vulnerabilities could very well produce an acceptable result if developers could determine which 32% to fix. Unfortunately, without security training and experience, developers should not be expected to make that determination accurately.
A third of vulnerabilities are noise. To reduce false-positive vulnerabilities, scans must have access to all of the required asset information so that security tools can accurately determine whether a vulnerability exists. Reducing security noise will allow developers to address security issues confidently.
33% believe that developers and security are siloed. When developers and security teams operate in insulated silos, it leads to inefficiencies and gaps in security across the software development lifecycle. These silos ultimately lead to security vulnerabilities and bad user experiences.
To read a copy of the report, please click HERE. About Tromzo Tromzo is a developer-first application security management platform that helps reduce the friction between developers and security. The company was founded by security practitioners and is backed by Innovation Endeavors, Operator Partners, SVCI and more than 25 leading CISOs and security industry executives. For more information, visit www.Tromzo.com Media Contact [email protected] Source: Tromzo