Most organizations want to implement security into the entire DevOps process, but they’re struggling to do so.

That’s the biggest takeaway from a new report out today from security firm Checkmarx Ltd. “Managing Software Exposure: Time to Fully Embed Security into Your Application Lifecycle” was undertaken in conjunction with FreeForm Dynamics and The Register based on the input of 183 respondents worldwide in a variety of information technology roles.

The report found that a full 92 percent said that they were failing to implement security across their entire DevOps stack despite a desire to do so.

Education was cited as an ongoing issue, with 96 percent of respondents saying that they believed it was “desirable” or “highly desirable” for developers to be properly trained on how to produce secure code. A majority of respondents said they believe it’s more important to educate developers and empower them than it is to educate other stakeholders in the organization such as operations and security specialists.

Some 41 percent of respondents said that they agree that defining clear ownership and responsibility in relation to software security remains a big challenge, while only 11 percent said they’ve adequately addressed the need for developer education.

“Today, software is everywhere and the majority of respondents agree that it is integral to most business initiatives, yet there are still many gaps when it comes to securing that software,” Maty Siman, Checkmarx founder and chief technology, said in a statement. “Increased software complexity and the need to move at the speed of DevOps is creating a new type of risk in the form of software exposure, and as the results of this report attest, software security also needs to change.”

Other key findings included 57 percent of respondents agreeing with the statement that software security is now a boardroom issue. But 45 percent said they find it challenging to get senior management to approve funding for security training. Not least, 44 percent say executives don’t care about how quickly, frequently and safely developers deliver software, they just want them to do it.

Photo: mattmflickr/Flickr