“Newer languages show up every few years and it definitely adds to the complexity,” Rajamani said. “For instance, Golang and Rust have become popular in the last two-three years. The tooling used for security reviews and finding application vulnerabilities isn’t always mature enough to support new languages and generally needs time to catch up.”
Documentation is often a sticking-point, regardless of language. While 71% of organizations reported releasing application updates at least once a week, teams are still using maual documentation (74%) and spreadsheets (68%) to catalog and inventory their applications and APIs. The over-reliance on manual efforts, the study points out, opens these practices to errors.
The study also uncovered a lack of attention paid to security reviews.
Security requires more support
Survey respondents estimated that, on average, only 54% of major code changes undergo a full security review before deploying to production, with 22% respondents reviewing 24% or fewer code changes.
That finding didn’t surprise Forrester senior Analyst Janet Worthington.
“Cloud, containers, and DevOps tools have empowered product development teams to deploy more frequently,” said Worthington. “Teams are now able to release on a monthly, weekly, daily, and even hourly basis in some cases. Considering the limited number of security professionals in comparison to the number of developers, it is impossible for security teams to manually review all code changes.”