Shifting left might improve software security, but developers are becoming overwhelmed – communication barriers, tool sprawl, and ‘vulnerability overload’ is causing serious headaches for development teams
Nearly half of enterprises are trying to “shift left” in a bid to shore up software security, but false positives, the faster pace of development thanks to AI, and challenges integrating tools are limiting success for developers.
That’s according to research by AI security firm Pynt that focused on the adoption of shift left practices — referring to a strategy of spotting flaws and security issues earlier in the software development cycle when they’re easier to fix.
The survey of 250 security professionals found 47% of organizations had implemented a shift left approach to software development, with a further 27% working to do so.
But a quarter of developers felt overwhelmed by the volume of vulnerabilities, and more than a third saw false positives as the main challenge to implementing a successful shift-left strategy, followed by integration issues and vulnerability overload.
The study raises serious questions over whether this approach to software development is actually reducing overall risks, or merely increasing complexity, according to Pynt chief executive Tzvika Shneider.
“Everyone talks about shifting left, but few are seeing the security gains they expected,” said Shneider. “Most organizations have tools in place, but they still struggle with noise, process friction, and developer resistance.”
“AI accelerates how software is developed and shipped, forcing security to keep pace, Shneider added.
The research also found that the vast majority of companies that had shifted left had turned to software tools to help the process, but 31% said that integrating those tools within development workflows continued to be a major barrier.
The most popular tools are Static Application Security Testing (SAST), Software Composition Analysis (SCA) and Dynamic Application Security Testing (DAST), with each used by about a third of respondents.
Software security priorities are causing friction
Two-thirds of respondents said they prefer to fix bugs in app code rather than with rules in post-production, highlighting friction between developers and security teams. The former prioritize feature development and see security as a burden, while the latter wants to see flaws fixed rapidly.
“Shift right is easier since it doesn’t require extensive coordination between multiple teams, whereas Shift Left demands a collaborative effort across development, security, and testing teams,” the report noted.
“Shift Left was meant to improve security, but many organizations are finding that execution challenges are holding them back,” added Shneider. “Security leaders must rethink their approach to reduce friction between security and development teams while maintaining effective risk management.”
Pynt said that automation in security testing could help, and called for improved collaboration between security and development teams, including integrating security into testing phases.
Europeans are ahead adopting shift left practices, the survey found, with Germany and the UK both at 52%. Developer teams in the US, however, aren’t quite up to scratch in this regard, researchers found, with just 42% of enterprises having adopted the approach.
The report follows earlier research that suggests enterprise security teams are struggling to keep up with the adoption of AI tools. Similar research found showing the rise in AI coding tools may actually be slowing down development thanks to the security headaches it causes.
MORE FROM ITPRO
TOPICS
Source link
