The Hidden Cost of Security Fixes for Software Developers

As companies strive to build secure, reliable applications, new findings reveal an overlooked cost: developers’ time spent managing security issues.

A recent IDC report¹ for JFrog finds that software developers are dedicating a significant portion of their workweek—up to 19 percent—to security-related tasks, like scan reviews, secrets detection and context-switching between multiple tools.

Key findings from the report, published in IT Pro, show that this time investment costs companies roughly $28,000 per developer annually. There are also additional concerns about much of this work happening outside of standard hours, adding strain on developers and reducing overall productivity.

In addition to developers, 50 percent of senior developers, team leaders and managers find that time spent on security is hindering their ability to focus on critical projects, affecting innovation and the timely release of new applications.

Tool sprawl is also cited as another hidden cost of application security. 80 percent of organizations report using from six to twenty different security testing tools. When used in silos, these tools generate a lot of noise and make distinguishing between genuine threats and false positives challenging.

Sorting through false positives or duplicate vulnerabilities consumes an inordinate amount of developer time and is leading some developers to skip steps entirely. According to the report, less than a quarter of developers conduct static application security testing (SAST) before code deployment, leaving room for even more potential vulnerabilities.

While these numbers are concerning, it is important to note that organizations do have an increasing number of options available. Single platform solutions like HCL AppScan on Cloud provide a wide array of testing tools under a single umbrella. Findings from DAST, SAST, IAST and SCA scans can be reviewed in centralized dashboards and security tasks can be easily shared between multiple team members. Results from these various tools can also be correlated together for more efficient triage and remediation.

Additionally, AI is being used more and more not only to help reduce the number of false positives in scan results, but to widen scan coverage and also to assist with remediation in tools like HCL AppScan AutoFix.

Application security testing is a critically important tool in helping organizations reduce business risk and manage their overall application security posture as they compete in the digital+ economy.

While this report highlights some of the challenges in building an effective security culture, there is an increasing number of tools, methodologies, and training available to help.

Learn how HCL AppScan can help your organization increase your security posture with reduced time and resources.

Source:

1 - https://investors.jfrog.com/news/news-details/2024/JFrog-Sponsored-IDC-Study-Shows-Growing-Developer-Focus-on-Software-Security-Impacting-Companies-Competitive-Advantage/default.aspx.