如何将软件安全痛点转化为开发人员的优势

Gartner Research How to MakeApplication SecurityDeveloper-Friendly Bestin Samuel, Neha Agarwal, Mary Joy 26 April 2024 How to Make Application Security Developer-Friendly 26 April 2024 - ID G00807301 - 8 min readBy Analyst(s): Bestin Samuel, Neha Agarwal, Mary JoyInitiatives:Software Engineering Practices; Build a World-Class Software EngineeringOrganization; Security of Applications and Data; Software Engineering Technologies Software engineering leaders hold their teams responsible andaccountable for security activities, but teams experience frictionthat impedes secure software delivery. This research highlightstwo companies using developer-centric approaches to addressdeveloper pain points in application security. Overview Key Findings More than half of software engineering teams are responsible for security activitiessuch as remediating vulnerabilities, securing APIs and embedding security controlsin software. But software engineering teams experience friction that makes itdifficult for them to accomplish security goals.■Security guidelines can be difficult for developers to interpret and apply to theirspecific context — only 42% of software engineering professionals believe thatsecurity requirements are easy for them to understand.■Developers often lack access to security expertise and guidance — nearly half ofsoftware engineering professionals report that they struggle to access securityexpertise when needed.■ Recommendations Ease the burden on developers by identifying and addressing their top pain points incompleting security activities, in close collaboration with the security team.■ Make security guidance consumable and actionable by helping developers easilyinterpret results from tools, such as through a composite vulnerability dashboard,and by communicating security guidance in developer-friendly language.■ Ensure access to security expertise by identifying and training “security champions”who can answer questions and take on security responsibilities for the team.■ Software Engineering Teams’ Responsibility and Accountability for SecurityActivities Application security is a top priority for software engineering leaders as cyberattacks areon the rise. At the same time, Software engineering teams are increasingly responsible fora range of security-related activities. According to the Gartner Security in SoftwareEngineering Survey, over 50% of software engineering teams are fully or mostlyresponsible for security activities such as remediating vulnerabilities, securing APIs,embedding security controls in software, and ensuring container security (see Figure 1). Figure 1: Security Responsibilities of Software Engineering Teams Since software engineering teams are responsible for more security-related activities, theyare also being held accountable for achieving security-related objectives. A large majorityof organizations hold software engineering staff responsible for one or more security-related metrics. The most common security metrics for software engineering staff are incident resolutiontime, mean time to resolve critical vulnerabilities and number of vulnerabilitiesremediated; with over 60% of software engineering staff held accountable for each metric. Common Developer Pain Points in Implementing Security Guidance Software engineering teams face several obstacles to successfully accomplishingsecurity objectives along with their other objectives for software delivery. Gartner, Inc. | G00807301 Security guidelines can be difficult for developers to interpret and apply to theirspecific context.Security requirements are typically designed and communicatedfrom security’s perspective, making it difficult for software engineering teams tounderstand them. In addition, software engineering teams can struggle to applysecurity guidance to their specific technology and business contexts.■ Only 42% of software engineering professionals report that security requirements areeasy for them to understand. Developers often lack access to security expertise and guidance.While softwareengineering teams may have foundational security skills, they often rely oncybersecurity teams for specific or advanced security expertise. However,cybersecurity teams are typically small and have limited capacity to supportsoftware engineering teams, which can lead to bottlenecks and delays. Nearly halfof software engineering staff struggle to access security expertise when needed.Formore information on software engineering and security collaboration, seeInfographic: 3 Ways to Improve Software Engineering & Security Collaboration.■ In this research, we highlight examples from two progressive organizations, Bancolombiaand Siemens Healthineers, where software engineering leaders implemented developer-centric approaches to improve the execution of software security. Automation and Platform Engineering Are Critical but Insufficient Software engineering leaders often turn to automation and tooling to help the