Why Vulnerable Code Is Shipped Knowingly

Why Vulnerable Code Is Shipped Knowingly
The business priority of speed of development and deployment is overshadowing the need for secure code.

The push to develop and deploy applications faster has evolved from simply a goal for developers to a business-level priority that affects every organization's bottom line. To meet this goal, companies have begun to de-silo development, operations, and security, moving toward a DevSecOps model to deliver increased agility and speed in the software development life cycle (SDLC).


Often lost in the chaos of this cultural shift to a "need for speed" SDLC approach is the misalignment between DevOps and security practitioners' goals. Both teams must strive to balance their respective goals: getting new features out the door and minimizing software risk. We know this misalignment contributes to vulnerable code being shipped more often than it should be, but what most people don't realize is that this is happening knowingly, and quite often. According to a recent ESG research report, almost half (48%) of organizations are regularly pushing vulnerable code, and they know it.


The simple question this statistic raises is: why? Cybersecurity continues to be a priority concern for every organization, with one vulnerability holding the potential to diminish a brand's reputation — that took decades to build — in just a few seconds. So why are developers knowingly deploying vulnerable code?  


The findings of the report help shed some light on the reasons:


54% of organizations push vulnerable code in order to meet a critical deadline, with plans to remediate in a later release.
49% of organizations push vulnerable code because they think it holds very low risk.
45% of organizations publish vulnerable code because the vulnerabilities were discovered too late in the cycle to resolve them in time before ..

Support the originator by clicking the read the rest link below.