Software developers are spending significantly more time – and companies a fortune – on security-related tasks such as manual application scan reviews, context switching, and secrets detection, according to new research.
An IDC report for software firm JFrog found that half of developers reckon they spend 19% of their weekly hours on security-related tasks, often outside normal working hours.
As a result, organizations are effectively spending $28,000 per developer per year.
Meanwhile, half of senior developers, team leaders, product owners, and development managers said spending time on software security-related tasks was getting in the way of innovating, building, and delivering new business applications.
"Securing the software supply chain already poses significant challenges for organizations, but it becomes more complex when multiple tools are used, forcing developers to toggle between multiple environments, leading to inefficiencies, wasted time, and increased risk," said Asaf Karas, CTO of JFrog Security.
"IDC’s survey creates a compelling case for companies to invest in streamlined security processes, tooling and training, to empower their developers to be more efficient and effective in protecting the software supply chain."
Software developers are tired of manual fixes and context switching
Notably, the study found developers are spending three and a half hours a week manually reviewing security scanning findings, largely thanks to false positives and duplicates.
Half their time goes to understanding and interpreting secrets scanning results, making the appropriate changes to code, and updating secrets management measures. Seven-in-ten said switching between different tools reduced efficiency.
Other time-consuming systems include Infrastructure as Code (IaC), used to automate the provisioning and management of IT infrastructure, such as servers, networking, operating systems, and storage. This needs to be scanned every time code changes, with more than half (54%) of developers saying they run IaC scans weekly or monthly.
Meanwhile, only 23% of developers are running static application security testing (SAST) scans before deploying code into production, leaving a huge gap for malicious code to slip through.
"DevSecOps is not just a business imperative; it is the cornerstone of building the secure applications of the future. However, a significant challenge lies in overcoming inefficient, poorly implemented tools that squander developers’ time and inflate costs," said Katie Norton, research manager, DevSecOps and software supply chain security at IDC.
"To be successful, IT and software development team leaders must automate repetitive and time-consuming tasks, ensure DevSecOps tools deliver accuracy with minimal false positives, and provide ongoing access for developers to application security education and resources so they can keep pace with a rapidly increasing threat landscape."
The report is just the latest to highlight the problems with security testing tools, with new research from Black Duck finding that more than eight-in-ten organizations use between six and 20 different security testing tools.
This makes it harder to distinguish between genuine issues and false positives, with six-in-ten saying between 21% and 60% of their security test results were false positives, duplicates, or conflicts.
More from ITPro
