1、WHO DEVELOPERS AREWHERE THEY ARE GOINGWHAT THEY BUYDeveloper population sizingDeveloper segmentationSlashData helps the world understand developersWhy developers are adopting competitor products and how you can fix thatEmerging platforms augmented&virtual reality,machine learningSlashData surveys 30
2、,000+developers annually across web,mobile,IoT,cloud,Machine Learning,AR/VR,games and desktop to help companies understand who developers are,what they buy and where they are going next.About SlashDataCan I share data from this report?1.License GrantThis report is licensed under the Creative Commons
3、 Attribution-NoDerivatives Licence 4.0(International).Put simply,subject to the terms and conditions of this license,you are free to:Share You can reproduce the report or incorporate parts of the report into one or more documents or publications,for commercial and non-commercial purposes.Under the f
4、ollowing conditions:Attribution You must give appropriate credit to SlashDataTM,and to Cisco,as sponsors of this report,and indicate if changes were made.In that case,you may do so in any reasonable manner,but not in any way that suggests that SlashDataTMendorses you or your use.NoDerivatives you ca
5、nnot remix or transform the content of the report.You may not distribute modified content.2.Limitation of Liability SlashDataTM,believes the statements contained in this publication to be based upon information that we consider reliable,but we do not represent that it is accurate or complete and it
6、should not be relied upon as such.Opinions expressed are current opinions as of the date appearing in this publication only and the information,including the opinions contained herein,are subject to change without notice.Use of this publication by any third party for whatever purpose should not and
7、does not absolve such third party from using due diligence in verifying the publications contents.SlashDataTMdisclaims all implied warranties,including,without limitation,warranties of merchantability or fitness for a particular purpose.SlashDataTM,its affiliates,and representatives shall have no li
8、ability for any direct,incidental,special,or consequential damages or lost profits,if any,suffered by any third party as a result of decisions made,or not made,or actions taken,or not taken,based on this publication.The analyst of the developer economy|formerly known as VisionMobileSlashData Copyrig
9、ht 2022|Some rights reserved4Richard MuirData JournalistRichard is a Data Journalist with over five years experience working in a range of industries,from government policy to automotive.He is responsible for finding and interpreting actionable insights from SlashDatas developer surveys.richardslash
10、data.coSimon JonesData StorytellerSimon has more than 15 years experience working in research and software development across academic,industrial and charitable sectors.He holds a PhD in Computer Science and has published over 40 peer-reviewed articles spanning areas such as mobile and ubiquitous co
11、mputing,IoT,AR/VR,data science and human-computer interaction.simon.jonesslashdata.coABOUT THE AUTHORSTABLE OF CONTENTS7EXECUTIVE SUMMARYKEY INSIGHTS610INTRODUCTIONSECURITY IS A KEY PRIORITY FOR ENTERPRISE DEVELOPERS830SHIFT-LEFT SECURITYAUTOMATING SECURITY1937CONCLUSIONAPPENDIX356EXECUTIVE SUMMARYI
12、n this report,we examine the state of security in enterprise software development.Using data from two global surveys of enterprise developers,we show the extent of security threats and challenges faced by enterprise developers,particularly when using modern development approaches that rely on open a
13、nd connected environments,with microservice architectures and APIs as foundational building blocks.We find that the majority ofdevelopers have already experienced at least one security exploit in the APIs that they work with.We argue that a shift-left approach,which aims to improve application secur
14、ity from the earliest stages in the development lifecycle,is critical.However,adopting a shift-left approach is challenging in fact,many enterprise developers rate security among their most significant challenges.Our data shows that early-career software developers are entering the industry with a c
15、lear focus on improving security,but this is often supplanted by other priorities such as improving scalability and performance as their experience increases.We provide data to show the extent of the adoption of shift-left security and highlight the specific developer groups most likely to be in the
16、 vanguard of this approach.We also address the importance of automating security procedures as a fundamental part of a shift-left strategy and underscore the benefits of automation tools that reduce the burden on developers.However,we show that development team members working closest to the code an
17、d those driven most by gaining experience to advance their careers,are currently among the least likely to use security automation tools.Hence,it is important that developers recognise that automation is not only a fundamental aspect of shift-left security but also that it represents the highest lev
18、el of security maturity and excellence.7KEY INSIGHTS Security is a key priority for enterprise developers 49%of developers report that they have had to deal with multiple API security-related exploits in the past 12 months.Only one-third of organisations report that they can resolve security exploit
19、s within one day.25%of enterprise developers report that managing security or adding security into the development pipeline is among the most significant challenges they face.Migration of software to the cloud is a driver of increasing challenges around software security,increasing the attack surfac
20、e area and adding to the required complexity of a solution.A shift left for security is taking place 54%of developers are currently involved with security during development.Many developers have introduced additional security measures as a result of exploits occurring.However,approximately one in fi
21、ve enterprise developers(21%)indicate that they have no involvement in security-related activities whatsoever.Involvement in security processes increases with software development experience as developers acquire more knowledge and seniority.However,for many new developers,improving security is one
22、of their primary goals.Developers in North America and the Middle East and Africa are in the vanguard of the shift-left approach.62%of enterprise developers here are involved in security-related processes during early development.64%of all enterprise developers are using automated security tools to
23、some extent.However,developers primarily motivated by gaining experience are the least likely to use automation just 46%.Organisations should emphasise that automation represents the highest level of maturity and excellence and that experience using automation tools is highly valued.8INTRODUCTION9In
24、troductionDevelopers and Shift-Left Security:Progress,Priorities,and Automation This report provides data from two global surveys of enterprise developers developed collaboratively by Cisco and SlashData.It covers developers exposure to API security exploits,their outlook on security,the extent to w
25、hich developers consider security during the early stages of development,and how they are using automation tools to detect and remediate threats.Just as advances in software development are fast-paced,so is the evolution of security threats.Vulnerabilities can compromise data,applications,and networ
26、ks,with the average cost of a security breach in a hybrid cloud environment reported to stand at$3.6 million.Organisations must make significant investments to strengthen their software security,particularly as systems become more open and connected and increasingly reliant on APIs to connect servic
27、es and transfer data.Adding security measures at the end of a development process is insufficient.Instead,security must“shift-left”to the earliest stages so that developers mitigate threats that could lead to costly remediations later in the lifecycle.SECURITY IS A KEY PRIORITY FOR ENTERPRISE DEVELO
28、PERSDevelopers and Shift-Left Security:Progress,Priorities,and Automation 1.Security is a key priority for enterprise developers 11When it comes to security,prevention is better than recovery.However,if security breaches do occur,it is also essential that organisations are prepared to act quickly to
29、 resolve them.We find that only one-third of enterprise developers organisations can resolve API exploits within one day of a breach occurring.A further third of developers organisations take,on average,between one day and one week to resolve exploits,and an additional 22%take more than one week,wit
30、h as many as 7%taking between one to six months.Treating security as a key concern from the beginning of the lifecycle can help to increase preparedness and avoid situations where organisations incur high costs and reputational damage by being unable to fix issues quickly.Our survey data shows that
31、security threats are prevalent.For example,most enterprise developers have already experienced an API security exploit 58%of them indicate that they have had to deal with at least one API exploit within the past 12 months.Moreover,49%of developers have had multiple API exploits in this period.With m
32、odern applications increasingly relying on microservice architectures,securing APIs that connect services becomes a crucial aspect of effective security.Developers often have numerous APIs to build and maintain.Hence,thinking about security from the outset of development is critical to avoid lost ti
33、me and effort,reworking code,and dealing with exploits later in the lifecycle.Developers and Shift-Left Security:Progress,Priorities,and Automation 1.Security is a key priority for enterprise developers 1258%of developers report that they have had to deal with at least one API security-related explo
34、it in the past 12 months%of enterprise developers(Q3 2022 n=224)58%42%Have you had to deal with an API-related security exploit in the past 12 months?YesNo9%20%15%8%6%12-56-1011-2021+Number of API-related security exploits that developers have dealt with in the past 12 months Developers and Shift-Le
35、ft Security:Progress,Priorities,and Automation 1.Security is a key priority for enterprise developers 13Only one-third of organisations can resolve security exploits within one day%of enterprise developers(Q3 2022 n=224)7%27%33%13%7%2%11%Less than 1 hour1 hour to 1 day1 day to 1 week1 week to 1 mont
36、h1 month to 6 monthsMore than 6 monthsI dont know/not sureAverage time to resolve API-related security exploitsDevelopers and Shift-Left Security:Progress,Priorities,and Automation 1.Security is a key priority for enterprise developers 14We find that the proportion of developers reporting security a
37、s one of their main challenges grows as the size of their organisation increases.Developers working in small and medium-sized businesses but targeting enterprise users are slightly less likely to report security as a significant challenge 21%of developers in organisations of 101-500 employees.This r
38、ises to 27%in organisations with between 1,001-5,000 employees,where there are likely larger,more complex software systems to build and protect.Developers often need to defend against security threats whilst also dealing with complex systems that scale,comprise countless microservices,and span multi
39、ple cloud environments 40%of developers deploy code to a public cloud,37%to a hybrid cloud,and 26%to a multi-cloud environment.25%of enterprise developers report that managing security or adding security into the development pipeline is among the most significant challenges they face.Managing securi
40、ty ranks joint third in the list of enterprise developers challenges,behind scalability and performance optimisation.Developers and Shift-Left Security:Progress,Priorities,and Automation 1.Security is a key priority for enterprise developers 15Managing security ranks joint third in the list of enter
41、prise developers challenges%of enterprise developers selecting each option as one of the main challenges they face in software development(Q2 2022 n=853)16%17%19%19%19%23%25%25%32%35%Making tooling decisionsSteep learning curves for toolsManaging risks with open source softwareLack of trainingUnders
42、tanding my organisations processesPricing/licensing feesManaging security/adding security to the pipelineAligning development strategy with business strategyOptimising software performanceEnsuring software is scalableEnterprise developers top-ten software development challengesDevelopers and Shift-L
43、eft Security:Progress,Priorities,and Automation 1.Security is a key priority for enterprise developers 16We asked enterprise developers to identify their single most important goal within software development.Improving security ranks as the second most common goal of developers who are just starting
44、 out those with up to two years of development experience.These developers recognise that bolstering security benefits their careers and their organisations security stance in the long term.They are also part of a new generation of developers for whom application security is often an integral part o
45、f their training.However,security fluctuates as a priority as developers gain experience.For developers with 3-5 years of experience,we see a strong shift toward priorities such as improving scalability and performance.Given these competing demands,as developers gain experience,security consideratio
46、ns must become embedded into their everyday practices and processes.We explore the extent to which this is happening in the next chapter.According to our survey data,software migration to the cloud also contributes to challenges around security.Around one-third of developers that deploy to multi-clo
47、ud,hybrid-cloud,or fog/edge infrastructure report difficulties in managing security more than those deploying to any other setting.We find that security breaches occur regardless of which public,private,or hybrid cloud providers they use.Open and connected environments force developers to consider t
48、he associated security implications and challenges,as well as increasing the attack surface area and adding to the complexity required of a solution.Developers and Shift-Left Security:Progress,Priorities,and Automation 1.Security is a key priority for enterprise developers 17Developers who deploy ap
49、ps to hybrid cloud,multi-cloud,and fog/edge environments are the most likely to identify security as a challenge%of developers who deploy code to each environment that mention managing security/adding security to the pipeline as a significant challenge(Q2 2022 n=853)25%27%28%29%30%31%31%33%34%34%Web
50、 client/front endSmartphones&tabletsDesktops&laptopsPrivate cloud(cloud only available to certain users)On-premise serversPublic cloudMainframeHybrid cloud(using public and private clouds for a single project)Multi-cloud(using multiple public clouds for a single project)Network infrastructure(incl.f
51、og/edge computing,NFV)Enterprise developers reporting significant security challenges in each environment Developers and Shift-Left Security:Progress,Priorities,and Automation 1.Security is a key priority for enterprise developers 18Early career developers are prioritising security%of enterprise dev
52、elopers that report each primary goal by their level of development experience(Q2 2022 n=855)0%5%10%15%20%25%0-2 years3-5 years6-10 years11-15 years16+yearsYears of software development experienceEnterprise developers primary goal in software development by their level of experienceImprove scalabili
53、tyIncrease securityOptimise software performanceSHIFT-LEFT SECURITY202.Shift-left securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation More than half of developers organisations have added security training,increased the use of scanning tools,and improved connection security
54、 due to the occurrence of API exploits.While these components of a shift-left approach are relatively straightforward to implement,there is a need for technologies that accelerate the adoption and success of shift-left strategies and reduce the burden on developers for example,modern predictive anal
55、ytics and AI automation tools that proactively help to ensure security for a software system.In this chapter,we examine the stages at which enterprise developers are addressing security.We show the extent to which security has shifted left,from processes considered towards the end of a development c
56、ycle to those implemented throughout the entire development cycle.We highlight how enterprise developers involvement in security varies across development,deployment,and production,as well as according to their experience level and geographic location.A shift-left security philosophy means that secu
57、rity must have a seat at the table from the earliest stages of software development.If security issues are addressed early on,remediation costs far less than during deployment or after a breach.Our data shows that considerable effort is already invested in identifying security vulnerabilities and th
58、reats during early development,with many organisations introducing additional security measures and practices as a result of discovering exploits.212.Shift-left securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation More than half of developers organisations have added securit
59、y training,increased the use of scanning tools,and improved connection security as a result of API exploits%of enterprise developers(Q3 2022 n=189)9%26%29%43%53%55%56%Weve paid penalties/compensation for non-compliance with data laws or agreementsWeve set limits on API usageOur security operations h
60、ave shifted to take place earlier during developmentWeve introduced continuous assessment of all API endpointsWeve added or improved connection security/encryptionWeve increased our use of security scanning tools/solutionsWeve added or improved security training for development teamsWhat actions has
61、 your organisation taken in response to API-related security exploits?222.Shift-left securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation Although many developers are shifting security to the left,approximately one in five enterprise developers(21%)indicate no involvement in
62、 security-related activities.Embedding security into the development process requires significant cultural change,with developers weaving security into their everyday working practices,making informed security decisions,and having security ownership.It is still relatively common for security to rema
63、in the sole responsibility of a siloed security team.However,organisations require processes and tooling that enable the responsibility of delivering secure software to be shared if a shift-left approach is to be effective.The scale of this situation suggests that many enterprise organisations would
64、 benefit from a profound cultural change in their attitudes towards security.At present,the majority(54%)of enterprise developers are involved in security-related activities during early development stages from checking for issues pre-commit through to formal testing.Beyond the development phase,27%
65、of developers are involved in security-related checks as part of Day 1 operations,when software is initially deployed.This includes infrastructure provisioning,installation,configuration,and deployment rollbacks.However,20%of enterprise developers still focus on security risks and threats only after
66、 an application goes live Day N operations,such as monitoring,alerting,issue detection,and incident management without any involvement in security checks during the design and development phases.Individuals involvement in security across every one of these development stages is highly uncommon,indic
67、ating that most developers focus on specific aspects of security during development just 6%of developers are engaged in security checks at every development stage.232.Shift-left securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation The majority of developers are addressing se
68、curity during the development phase%of enterprise developers(Q2 2022 n=841)24%21%29%29%54%6%27%20%21%Pre-commitsecurity checksCommit-timesecurity checksBuild-time securitychecksTest-time securitychecksAny developmentphase securitychecksAll developmentphase securitychecksDeploy-timesecurity checksDay
69、 N securitychecks onlyNone of the aboveEnterprise developers involved in security checks at each stage of the software lifecycleDevelopment phaseDay 1 operationsDay N operations242.Shift-left securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation Involvement in security increa
70、ses with software development experience.Those with 6-15 years of experience are most likely to have“shifted left”their security practices,with 62%engaged in security during the development phase and only 15%focussing on security post-deployment.These developers are also the most likely to address s
71、ecurity across all development stages pre-commit,commit,build,and test;however,this is still relatively uncommon even for this group.Exposing developers to a shift-left practice earlier in their career is likely to help significantly in building an organisations security-conscious culture.Enterprise
72、 developers level of experience impacts their involvement in security activities at different stages.Early-career developers with up to two years of experience are the least likely group to be involved in security checks during early development stages and the most likely to have no involvement in s
73、ecurity testing at all(32%).As noted earlier,early-career developers are the most likely to be motivated by the goal of increasing the security of software but tend to prioritise other goals as they gain experience.This mismatch between a strong desire to improve security and limited involvement in
74、security practices at an early career stage suggests that more needs to be done to ensure that developers hit the ground running when it comes to tackling security issues at the outset of their career,e.g.additional opportunities to work on security,along with appropriate tools,support,and training.
75、252.Shift-left securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation Developers with 6-15 years of experience are the most likely to be involved in development-phase security checks%of enterprise developers involved in each security-related activity by their level of experien
76、ce(Q2 2022 n=841)0%10%20%30%40%50%60%70%0-2 years3-5 years6-10 years11-15 years16+yearsInvolvement in security checks by software development experienceNone of the aboveAll development phase security checksDay N security checks onlyAny development phase security checks262.Shift-left securityDevelope
77、rs and Shift-Left Security:Progress,Priorities,and Automation Developers in South America do not appear to be adopting the shift-left approach at the same pace as other regions.Only 30%of enterprise developers are engaged in development phase security checks.Previous research has noted that cybersec
78、urity preparedness has been insufficient in this region.When it comes to differences across different geographic regions,our data reveal that developers in North America and the Middle East and Africa are in the vanguard of the shift-left approach.These developers are the most likely to address secu
79、rity issues earlier in the development cycle 62%of enterprise developers here are involved in security-related practices during the development phase.Moreover,we also see fewer developers working to address security issues post-deployment.Although East Asia,excluding the Greater China area,ranks thi
80、rd in terms of developers that tackle security as part of the development phase(55%),the proportion of developers in this region that work on security pre-commit identifying and scanning for vulnerabilities before code reaches the version control system is significantly below the global average(16%i
81、n this region vs 24%globally).Developers in this region are most likely to focus on addressing vulnerabilities during the build phase,indicating that security checks could shift even further to pre-commit and commit phases.272.Shift-left securityDevelopers and Shift-Left Security:Progress,Priorities
82、,and Automation Developers in North America and the Middle East and Africa are the most likely to perform security checks during development%of enterprise developers in each region(Q2 2022 n=841)62%62%55%52%50%48%30%34%38%29%12%31%22%13%20%14%24%15%20%22%26%North AmericaMiddle East&AfricaEast Asia e
83、x.GreaterChinaEastern Europe,Russia&Former CISSouth AsiaWestern Europe&IsraelSouth AmericaEnterprise developers involvement in security checks by geographic regionDevelopment phase security checksDeploy-time security checksDay N security checks only282.Shift-left securityDevelopers and Shift-Left Se
84、curity:Progress,Priorities,and Automation One in five developers are involved in collecting application-level security metrics using tools which monitor the state of security capabilities across applications,e.g.tracking the number and severity of vulnerabilities.Such tools are vital for continuousl
85、y detecting threats and defending against attacks in real-time and allow visibility into impacted areas of code,helping developers to prioritise their time and effort.Just 9%of enterprise developers are engaged in red team/blue team exercises simulations of real-world breach scenarios,assessing genu
86、ine preparedness and responses to a breach,whilst also providing training to those involved.This activity changes security postures from reactive to proactive and follows the shift-left paradigm by looking for risks at the earliest possible stages.Our survey reveals some of the most common security-
87、related activities across development and deployment that enterprise developers are engaged in.Vulnerability scanning emerges as the most common activity,with one-third of developers reporting this as part of their responsibilities.Vulnerability scanning checks container images or third-party depend
88、encies for security risks,with tools often integrated into the CI/CD pipeline to perform scans.By identifying the points of weakness in a systems infrastructure,developers identify flaws and resolve them to reduce the softwares attack surface.Vulnerability scanning is most likely to be used at deplo
89、y-time(Day 1)58%of developers running Day 1 security checks use this approach.Static code analysis is the next most common activity,supporting developers in identifying potential security threats and issues in the quality of the code.Static code analysis is utilised by 51%of developers that engage i
90、n build-time security checks.Software composition analysis(SCA)tools also support a shift-left approach to security.SCA tools automate the examination of open source libraries for vulnerabilities that an attacker can exploit.These are used by 28%of enterprise developers overall and 48-49%of those re
91、sponsible for commit-time and test-time security reviews,showing that theyre particularly useful at this stage.292.Shift-left securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation One-third of enterprise developers are involved in vulnerability scanning%of enterprise develope
92、rs(Q2 2022 n=841)34%33%28%24%21%13%9%Vulnerability scanningStatic analysisSoftware compositionanalysis(SCA)Creating incidentresponse plansCollecting application-level security metricsBug bounty scanningRed team/blue teamexercisesInvolvement in security-related activitiesAUTOMATING SECURITY313.Automa
93、ting securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation The most likely group of developers to adopt automated security approaches are key decision-makers and team leads who influence,manage,or set the strategy for their teams purchase initiatives(90%).However,we find that
94、 developers who work closer to the code than to the high-level/strategic operations of an organisation such as those who write source code for new applications,and check-in code to version control systems,remain the least likely to be using automation tools for security(60%).Many decision makers are
95、 yet to cascade these practices down to their development teams.As the first line of defence in a shift-left approach,it is increasingly vital that developers adopt the best tools available to ensure they produce secure code.Automation is a fundamental part of effective security and essential to ado
96、pting a shift-left approach.In this chapter,we show how enterprise developers are automating security processes.We identify differences according to their DevOps-related activities and their main reported challenges in software development.Automation tools for provisioning infrastructure and continu
97、ously integrating/delivering software have dramatically improved software development productivity and velocity.Given the growing use of automation to compile,build,and deploy code to production,we examine how developers are automating security.Manual operations can result in less timely detection a
98、nd more expensive remediation of security issues,as well as human errors and inconsistencies in security policy application.Automated methods help to increase efficiency,ensure consistency,and embed security into development processes.We asked developers to indicate whether they are using automated
99、approaches to security,such as performing security checks and reviews with scanning tools or applying automated fixes to the affected software.323.Automating securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation Developers that set a strategy for IT purchases are the most lik
100、ely to adopt security automation%of enterprise developers(Q2 2022 n=841)60%61%62%67%69%72%73%74%76%77%78%81%90%40%39%38%33%31%28%27%26%24%23%22%19%10%I write source code for new applicationsI develop software solutions to meet customer needsI check-in code to a version control systemI build CI/CD pi
101、pelinesI use continuous integration to automatically build and test my code changesI use continuous delivery/deployment to automate my code deploymentsI approve code deployments to productionI write specifications and documentation for server-side featuresI create automated regression tests and/or v
102、alidation checksI develop plans and processes for technology improvements/expansionI monitor software and infrastructure performanceI programmatically provision and manage IT infrastructuresI influence,manage,and/or set the strategy for IT purchase initiativesDevelopers involvement in DevOps activit
103、ies vs involvement in automation of security operationsAutomating security reviews/controlsNot automating securty reviews/controls333.Automating securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation Unsurprisingly,enterprise developers who rate security improvement as their p
104、rimary goal are the most likely adopters of automation tools(85%with this goal are using such tools).However,developers primarily motivated by gaining experience to maximise their future career opportunities are the least likely to use automation just 46%.The abstraction offered by such tools may no
105、t be offering the learning experience they desire.Organisations should attempt to support these learning experiences whilst also demonstrating that automation is not only a fundamental aspect of shift-left security but it also represents the highest level of maturity and excellence developers with e
106、xperience using automation tools are highly valued.Interestingly,developers use of automated methods for addressing security issues varies according to the issues they find particularly challenging.Developers who report their main challenges as including managing policies within the cloud-native eco
107、system or managing the risks associated with the use of open source software are more likely to use automated security tools than those reporting other challenges.Developers particularly challenged by steep learning curves for tools or missing features within tools,are among the least likely to use
108、automation tools finding tools that are comprehensive and easy to use is critical for adoption.343.Automating securityDevelopers and Shift-Left Security:Progress,Priorities,and Automation Developers that report difficulties managing policies in the cloud-native ecosystem and risks with open source s
109、oftware are the most likely to automate security%of enterprise developers(Q2 2022 n=834)61%61%62%67%68%70%73%83%83%39%39%38%33%32%30%27%17%17%Optimising software performanceSteep learning curves for toolsMissing features in toolsEnsuring software is scalablePricing/licensing feesMaking tooling decis
110、ionsManaging security/adding security to the pipelineManaging risks with open source softwareManaging policies in the cloud-native ecosystemDevelopers main challenges in software development vs involvement in automation of securityAutomating securityNot automating security35CONCLUSION36ConclusionDev
111、elopers and Shift-Left Security:Progress,Priorities,and Automation In order to support a shift-left approach,automation is fundamental.Two-thirds of all enterprise developers are using automated security tools.However,developers primarily motivated by gaining experience are the least likely to use a
112、utomation.The abstraction offered by such tools may not be offering the learning experience they desire.Organisations should attempt to support such learning experiences whilst also demonstrating that automation represents the highest level of maturity and excellence for security.APIs are fundamenta
113、l building blocks for modern software systems.However,the majority of developers report that they have already experienced at least one security exploit in the APIs that they work with.In order to defend against security threats,a shift-left approach,which aims to enhance application security from t
114、he earliest stages in the development lifecycle,is critical.More than half of enterprise developers are shifting left,with security playing a key role during early development.Less-experienced developers are the least likely to engage with security during development.Hence,more needs to be done to e
115、nsure that developers hit the ground running when it comes to tackling security issues at the outset of their careers.37APPENDIX38AppendixDevelopers and Shift-Left Security:Progress,Priorities,and Automation Regional distribution of respondents%of respondents(Q2 2022 n=890)38%23%10%7%7%7%6%1%North A
116、mericaWestern Europe&IsraelEastern Europe,Russia&FormerCISSouth AmericaSouth AsiaEast Asia ex.Greater ChinaMiddle East&AfricaOceania39AppendixDevelopers and Shift-Left Security:Progress,Priorities,and Automation Job titles/roles of respondents%of respondents(Q2 2022 n=890)11%12%14%17%19%21%49%Embedded software developer/engineerData scientist,machine learning developer,or data engineerDevOps engineer/specialistArchitect(system/solution/software/app)Tech/engineering team leadCIO/CTO/IT managerProgrammer/software developer(incl.frontend,backend,full-stack)