Nearly half of enterprises are trying to "shift left" in a bid to shore up software security, but developers are reporting significant issues with the strategy.
False positives, the faster pace of development thanks to AI, and challenges integrating tools are hampering progress.
That's according to research by AI security firm Pynt that focused on the adoption of shift left practices — referring to a strategy of spotting flaws and security issues earlier in the software development cycle when they're easier to fix.
The survey of 250 security professionals found 47% of organizations had implemented a shift left approach to software development, with a further 27% working to do so.
But a quarter of developers felt overwhelmed by the volume of vulnerabilities, and more than a third saw false positives as the main challenge to implementing a successful shift-left strategy, followed by integration issues and vulnerability overload.
The study raises serious questions over whether this approach to software development is actually reducing overall risks, or merely increasing complexity, according to Pynt chief executive Tzvika Shneider.
"Everyone talks about shifting left, but few are seeing the security gains they expected," said Shneider. "Most organizations have tools in place, but they still struggle with noise, process friction, and developer resistance."
"AI accelerates how software is developed and shipped, forcing security to keep pace, Shneider added.
The research also found that the vast majority of companies that had shifted left had turned to software tools to help the process, but 31% said that integrating those tools within development workflows continued to be a major barrier.
The most popular tools are Static Application Security Testing (SAST), Software Composition Analysis (SCA) and Dynamic Application Security Testing (DAST), with each used by about a third of respondents.
Software security priorities are causing friction
Two-thirds of respondents said they prefer to fix bugs in app code rather than with rules in post-production, highlighting friction between developers and security teams. The former prioritize feature development and see security as a burden, while the latter wants to see flaws fixed rapidly.
"Shift right is easier since it doesn’t require extensive coordination between multiple teams, whereas Shift Left demands a collaborative effort across development, security, and testing teams,” the report noted.
"Shift Left was meant to improve security, but many organizations are finding that execution challenges are holding them back," added Shneider. "Security leaders must rethink their approach to reduce friction between security and development teams while maintaining effective risk management."
Pynt said that automation in security testing could help, and called for improved collaboration between security and development teams, including integrating security into testing phases.
Europeans are ahead adopting shift left practices, the survey found, with Germany and the UK both at 52%. Developer teams in the US, however, aren't quite up to scratch in this regard, researchers found, with just 42% of enterprises having adopted the approach.
The report follows earlier research that suggests enterprise security teams are struggling to keep up with the adoption of AI tools. Similar research found showing the rise in AI coding tools may actually be slowing down development thanks to the security headaches it causes.
MORE FROM ITPRO
- Anthropic’s new AI model could be a game changer for developers
- 30% of Microsoft's code is now AI-generated, and that's bad news for devs
- Java might’ve just turned 30, but it’s still going strong and here to stay
-
The NCSC wants developers to get serious on software securityNews The NCSC's new Software Security Code of Practice has been welcomed by cyber professionals as a positive step toward bolstering software supply chain security.
-
Red teaming comes to the fore as devs tackle AI application flawsNews Only a third of organizations employ adequate testing practices in AI application development, according to new research, prompting calls for increased red teaming to reduce risks.
-
‘Frontier models are still unable to solve the majority of tasks’: AI might not replace software engineers just yet – OpenAI researchers found leading models and coding tools still lag behind humans on basic tasksNews AI might not replace software engineers just yet as new research from OpenAI reveals ongoing weaknesses in the technology.
-
Java developers are facing serious productivity issues: Staff turnover, lengthy redeploy times, and a lack of resources are hampering efficiency – but firms are banking on AI tools to plug the gapsNews Java developers are encountering significant productivity barriers, according to new research, prompting businesses to take drastic measures to boost efficiency.
-
Software security debt is spiraling out of control – remediation times have surged 47% in the last five years, and it’s pushing teams to breaking point
News Software security flaws are taking longer to fix than ever, with remediation times having grown by 47% in the last five years.
-
Why the CrowdStrike outage was a wakeup call for developer teamsNews The CrowdStrike outage in 2024 has prompted wholesale changes to software testing and development lifecycle practices, according to new research.
-
Acronis Cyber Protect Cloud review: Slick automated threat remediationReviews A single cloud service that neatly combines malware protection with backup and recovery features
-
Ubuntu shifts to four-week update cycleNews Critical fixes will also come every two weeks, mitigating the issues involved with releasing prompt patches on the old three-week cadence
