Software security is a trending topic across the planet right now as businesses pursue rapid digital transformation and aim to ‘build back better’ after the disruption of the pandemic. As business units in all industries put pressure on developers to deploy smarter, faster and build more personalized applications that leverage customer data, stakeholders at the strategic level recognize that this must not be at the expense of security.
The drive to shift left and integrate software security earlier in the development life cycle has been gaining traction, but it is fair to say that different regions are at different levels of maturity on the journey to DevSecOps. By understanding where different regions are on the DevSecOps spectrum and how they are tackling the pressures of the software development landscape, Checkmarx and our partners can ensure we provide the right support to our customers and deliver timely and relevant guidance.
This was the rationale behind our recent research into software security in Latin America. We surveyed 343 managers in Development, DevOps, Security and Project Management from LATAM countries including Mexico, Brazil, Argentina, Colombia, and Chile. Respondents were from company sizes of between 50 and 10,000 employees in a wide variety of industries including manufacturing, software and technology, financial services, hospitality, and oil and gas.
We found that the region is facing challenges around achieving the software deployment speed required to meet business demands. There is widespread recognition that automation is the key to elevating security performance, and also evidence that throwing more headcount at the problem is not the answer – in fact, it makes the problem worse. At the same time, we found evidence that an AppSec culture is starting to emerge, though areas for improvement remain.
Our findings fell into five key areas:
1 - Pace and vulnerability pressure are shaping the LATAM software development landscape
Businesses in Latin America have undergone rapid digital transformation, and this is evident in software deployment frequency. 58% percent of companies surveyed deploy weekly or more frequently, with 13% deploying daily and 2% already adopting continuous deployment.
Organizations have shifted their development methodologies to support this increase in pace, with three-quarters using Agile and/or DevOps deployment methodologies and 49% adopting feature-driven development. Waterfall, lean, and scrum approaches are a thing of the past, with fewer than 6% using any of these approaches.
At the same time, vulnerabilities are frequently faced. Seventy-one percent regularly face mobile application security vulnerability, two thirds see frequent Infrastructure as Code weaknesses, and forty-six percent often spot application vulnerabilities such as SQL injections and XSS. Interestingly, almost half (46%) say they occasionally face cloud native technology challenges such as in container configuration and orchestration, indicating that organizations need support in securing this aspect of software development.
2 - Vulnerability remediation is not as rapid as it should be
Faced with this range of vulnerabilities, and under pressure from a fast delivery schedule, it is not surprising that development teams are struggling to respond as fast as they would like.
In more than half of cases (51%) it takes more than one month to remediate open source/third party vulnerabilities. Even for proprietary code, it takes more than one month to address issues for 48% of respondents. On average, it takes 8.6 weeks to address OSS/third-party vulnerabilities and more than nine weeks to fix in-house code. This leaves significant windows of opportunity for bad actors to spot and exploit those vulnerabilities.
The problem is not lack of headcount. In fact, our research showed that the more developers a company has, the longer it takes to fix issues post-detection. Perhaps this is because organisations are super-focused on deployment and, the more developers that are tasked with this as a priority, the weaker the security focus becomes.
This seems to sync with another research finding that it is C-level stakeholders, more than development teams, that are strongly focused on security. 26% of CISOs and 25% of top management respondents rated secure code development as critical, compared to only 13% of development team members and 16% of development managers. When it comes to security, tone from the top is important, so organisations should be looking to senior leaders to build security culture and awareness by setting security-focused targets and providing education for developers to support the security imperative.
3 - Automation is in and manual testing is out
Asked what would make implementing AppSec easier and more effective in their company, the strong consensus is that manual testing is a thing of the past, with 99% taking this view.
Aligning with our earlier finding, more than 92% also felt that hiring more developers and QA engineers wouldn’t solve the issue.
Instead, they are looking for greater automation in security testing tools, more direct integration of security testing into developer workflows and streamlined collaboration between key teams. Consequently, organizations will be seeking tools that can help them achieve these aims.
4 - Strong budget growth expected
In reflection of increasing mainstream focus on Application Security and the need to invest in tools, rather than headcount, a large majority of organizations expect to increase budgets in the coming year. Ninety-seven percent will see budgets rise by 10% or more, with more than one quarter (26%) expecting growth of more than 50%.
Investment in application security is a rational response to the escalating threat landscape given the sheer proliferation of code generated by modern software-centric companies. The risk of breaches grows ever-greater and the penalties – in reputational, legal, and operational terms – become more business-critical by the day. Companies need to do all they can to support developer teams to build secure applications without compromising on efficiency and delivery.
Fortunately, this is recognized, with 99% saying they plan to adopt more AppSec tools in the short term. Software Composition Analysis (SCA) tops the wish list, with thirty-nine percent planning to purchase, followed by DAST (31%) and API security 29%.
5 - A proactive AppSec culture is emerging in Latin America
There are positive signs that an AppSec approach is maturing in the region. Thirty-five percent are already using Static Application Security Testing (SAST) and just over one fifth (22%) are using Dynamic Application Security Testing at development stage. Emerging testing technologies are also seeing adoption, with thirty-two percent adopting Infrastructure as Code security testing and twenty-eight percent API security testing.
With increased investment in automated security tools and continued focus from senior stakeholders - that will ideally cascade down into development teams through education and awareness training - the Latin America region looks set to make good progress towards the crucial goal of fast, secure software development.