Global Survey Data Finds 40 Percent of Businesses are Implementing Security Testing at the Programming Stage

BURLINGTON, MA--(Marketwired - Dec 20, 2016) - Veracode, a leader in securing the world's software, today announced compelling insight from a survey of global developers and development managers on the current state of software security. The report underscores the importance of developer-led security in the age of DevOps, and showed that businesses are recognizing the importance of securing applications. Despite showing moves toward earlier and more frequent security testing throughout the development process, the survey results also indicated there are still hurdles development and security teams must overcome when it comes to securing applications.

Increased Recognition, Earlier Testing
According to the survey, 40 percent of developers are incorporating securing testing during the programming stage, and 21 percent identify the design stage as the point at which security testing is completed. Testing early in the development process finds security defects in code at the point where it is the least costly to fix the defects. 

The survey also shows that developers are recognizing the importance of securing applications. 38.6% of developers responded that their number one concern is protecting applications from cyberattacks and data breaches. Traditionally, developers were not focused on securing applications, and this shift in mindset helps explain the new emphasis on early testing reported in the survey.

Improving for the Future
Despite the fact developers recognize the importance of securing software and the need for early security testing, areas for improvement remain. Developers are still dealing with security programs that impede their development efforts. The report, which included respondents from the U.S., U.K. and Germany, also showed that that 52 percent of developers feel application security testing often delays development and threatens deadlines. And, fewer than 25 percent of developers feel they have authority over decisions regarding application security.

This lack of authority and impact of development timelines has the potential to decelerate the strides made in improving application security and making security part of the development process.

"In an age where continuous deployment and frequent innovation is critical to the success of business, it is unacceptable for security testing to hinder development efforts," said Tim Jarrett, director of Security at Veracode. "As DevOps environments become a standard method of developing software, the industry has an opportunity to continuously improve the way it integrates security into the development process."

For more information on the data, please visit: https://info.veracode.com/report-veracode-developer-survey.html 

Additional data points:

• Sensitive Data Exposure is top concern: 52 percent of developers and managers cited sensitive data exposure as their top concern. This includes credentials and PII such as health data. Broken authentication and session management was the second concern at 37 percent.
• Regional Differences: In Germany and U.K. 40 percent of developers, and 38 percent of development managers said stopping cyberattacks and breaches was their top concern, while in the U.S., the opposite was true: more development managers (42 percent) than developers (34 percent) listed this as their top concern.
• Budget and Delivery Schedules: In Germany and the U.K., 26 percent of managers said meeting budget and delivery schedules was their top concern, versus just 18 percent of development managers in the U.S.
• Healthcare Prioritizes Compliance: Developers and managers in the healthcare industry cited meeting customer and regulatory compliance as their top concern.
• Despite Risk, Open-Source is of little concern: Veracode's recent SOSS Report showed that 97 percent of Java applications had at least one component with a known vulnerability, yet the survey results showed that only 28 percent said that using components with known vulnerabilities was a major concern.
• Financial Services and Manufacturing Late to the Game: 11 percent of financial services and 16 percent of manufacturing companies said they incorporated security later in the development cycle.

About Veracode
Veracode is a leader in helping organizations secure the software that powers their world, whether it is software they make, buy or sell. Veracode's SaaS platform and integrated solutions for application security provide an end-to-end approach from code creation to application deployment. The Veracode platform incorporates technology, expertise and workflows into a unified, efficient solution for developers and security teams as well as enterprise risk and compliance functions.

Veracode serves over a thousand customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes' 100 Most Valuable Brands. Learn more at www.veracode.com, on the Veracode blog and on Twitter.

Veracode is a registered trademark of Veracode, Inc. All other brand names, product names, or trademarks belong to their respective holders.

Methodology
The survey was conducted on behalf of Veracode in September 2016. An independent research organization surveyed mid-level and senior software developers as well as development operations managers in a wide range of industries with a particular focus on financial services, architecture and engineering firms, education, healthcare and manufacturing.

A total of 351 developers completed the survey. Of the total, 230 were U.S.-based, 60 were from the U.K. and 61 were from Germany. For development operations managers, 151 people responded with 50 in the U.S., 50 in the U.K., and 51 in Germany.

Respondents were dispersed among mid-sized businesses and large enterprises. Companies were broken down into three categories: 500 to 999 employees, 1,000 to 4,999 employees and more than 5,000 employees.