JFrog and IDC Collaborative Research Shows That Developers Spend More Time on Software Security, Impacting Enterprise Competitive Advantage

IDC InfoBrief Focuses on "The Hidden Costs of DevSecOps," Revealing That Enterprises Spend an Average of $28,000 Per Developer Per Year to Identify, Assess, and Resolve Software Security Issues

October 14, 2024 - JFrog, the streaming software company and creator of the JFrog Software Supply Chain Platform, released an IDC survey showing that developers are spending significantly more time on security-related tasks (such as manual application scanning reviews, context switching, and confidential information detection), and enterprises are spending up to $28,000 per developer per year on such tasks . The IDC InfoBrief, "The Hidden Cost of DevSecOps: A Developer's Time Assessment," sponsored by JFrog, shows that 50% of senior developers, team leaders, product owners, and development managers are spending significantly more time per week on software security-related tasks, which affects their ability to innovate, build, and deliver new business applications.

“Enterprises already face significant challenges in securing their software supply chains, and the situation becomes even more complicated when multiple tools are used, forcing developers to frequently switch between multiple online work environments, which reduces productivity, increases time costs and increases risks, ” said Asaf Karas, CTO of JFrog Security. “IDC’s survey provides a strong argument for enterprises to invest in more streamlined security processes, tools, and training that will help their developers more efficiently and effectively protect their software supply chains.”

In the survey, half of the respondents said that they spend about 19% of their time each week on security-related tasks, often outside of normal working hours, which may lead them to take a reactive rather than proactive approach to software security. Other key findings from the IDC survey include:

●Chasing Shadows: Eliminating False Positives: Developers spend an average of 3.5 hours manually reviewing security scan results to exclude false positives and duplicates.

●Context matters: 69% of developers agree or strongly agree that their security-related responsibilities require them to frequently switch context between various tools, which reduces their productivity. Multi-tool context switching also increases the use of tokens due to the need to bypass re-authentication for each tool platform. Tokens are helpful for application development, but they can also be forgotten in the workflow, leaving security holes in the company's systems that attackers can exploit.

●Key management is not easy: Developers spend 50% of their time parsing key scan results, modifying code to fix discovered issues, and updating key management practices.

●Infrastructure Survey: Infrastructure as Code (IaC) is used to automatically configure and manage IT infrastructure such as servers, networks, operating systems, and storage. It must be scanned every time the code is changed. More than 54% of developers said they run IaC scans once a week or month.

●SAST is not foolproof: Although static application security testing (SAST) tools have been integrated into local development environments and can provide test results as developers write code, only 23% of developers run SAST scans before deploying code to production environments, which leaves a huge hidden danger for malicious code to sneak in.

"DevSecOps is not only an enterprise imperative, it is also the cornerstone for building secure applications of the future. However, the industry is struggling to overcome the challenges of inefficient and poorly applied tools that waste developer time and drive up costs," said Katie Norton, research manager, DevSecOps and Software Supply Chain Security at IDC. "To succeed, IT and software development team leaders must automate repetitive and time-consuming tasks, ensure DevSecOps tools deliver accurate results with minimal false positives, and provide developers with ongoing application security education and resources to stay on top of the growing threat landscape."

The IDC Information Brief survey included senior developers, team managers, product owners, and development managers from more than 20 companies with more than 1,000 employees in the United States, the United Kingdom, France, and Germany.