Cybersecurity pros spend hours on issues that should have been prevented

Security staffers can spend more than five hours addressing security flaws that occurred during the application development cycle, says Invicti.

Security vulnerabilities have a bad habit of popping up during the software development process, only to surface after an application has been deployed. The frustrating part is that many of these security flaws could have been resolved beforehand had the proper methods and tools been used to uncover them.

A report released Tuesday by web application security firm Invicti looks at the time and resources spent tracking down security holes in developed applications.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

To compile its report “State of the DevSecOps Professional: At Work and off the Clock,” Invicti teamed up with Wakefield Research to survey 500 cybersecurity professionals and software developers with at least Director-level roles. The respondents all hailed from US companies with 2,000 or more employees.

Some 41% of the security professionals and 32% of the developers surveyed said they spend more than five hours each workday addressing security issues that should not have occurred in the first place. Having to tackle these security problems, especially in the midst of the so-called Great Resignation and the worry over impending cyberattacks, can easily lead to overwork and stress among professionals.

Some 81% of the respondents said that support tickets have a “magical power” to arrive at the very end of the day. A third of those surveyed said they’ve had to cancel dates and nights out with friends due to security problems at work. Plus, half of them revealed that they’ve had to log in over a weekend or on their own time to resolve a problem.

Despite the stress, many of the respondents pointed to certain positive aspects of their jobs.

Some 65% of the security pros and developers said they believe they saved their companies at least $1 million over the past year by preventing breaches. A full 95% said that digital transformation and the move to a remote workforce have made their jobs more valuable and rewarding. Plus, 49% of those surveyed said they’re friendly with their counterparts in the security or development area, an improvement from last year’s findings.

Still, the frequent security vulnerabilities and problems that surface are evidence of the need for improvement in the application development cycle.

“Security is everyone’s job now, and so disconnects between security and development often cause unnecessary delays and manual work,” said Invicti chief product officer Sonali Shah.

“Organizations can ease stressful overwork and related problems for security and DevOps teams by ensuring that security is built into the software development lifecycle, or SDLC, and is not an afterthought,” Shah added. “Application security scanning should be automated both while the software is being developed and once it is in production. By using tools that offer short scan times, accurate findings prioritized by contextualized risk and integrations into development workflows, organizations can shift security left and right while efficiently delivering secure code.”

When it comes to software development, innovation and security don’t need to compete, according to Shah. Rather, they’re inherently linked.

“When you have a proper security strategy in place, DevOps teams are empowered to build security into the very architecture of application design,” Shah said. “By building security into the SDLC and investing in tools that automate everything with accuracy to reduce manual work, organizations have more room for innovation and can eliminate friction between security and development.”