JFrog-Sponsored IDC Study Shows Growing Developer Focus on Software Security, Impacting Companies’ Competitive Advantage
JFrog (Nasdaq: FROG) released findings from an IDC survey revealing significant time and financial costs associated with software security tasks for developers. The study, titled 'The Hidden Cost of DevSecOps: A Developer's Time Assessment,' shows that companies spend an average of $28,000 per developer annually on security-related tasks.
Key findings include:
- 50% of developers experienced a significant increase in weekly hours spent on security tasks
- Developers spend an average of 3.5 hours manually reviewing security scanning findings
- 69% of developers agree that security responsibilities require frequent context switching between tools
- Developers devote 50% of their time to understanding and addressing secrets scanning results
- Only 23% of developers run static application security testing (SAST) scans before deploying code to production
The survey emphasizes the need for streamlined security processes, tooling, and training to improve efficiency and effectiveness in protecting the software supply chain.
JFrog (Nasdaq: FROG) ha pubblicato i risultati di un'indagine IDC che rivelano i significativi costi in termini di tempo e denaro associati ai compiti di sicurezza del software per gli sviluppatori. Lo studio, intitolato 'Il Costo Nascosto del DevSecOps: Una Valutazione del Tempo degli Sviluppatori', mostra che le aziende spendono in media $28.000 per sviluppatore all'anno per attività legate alla sicurezza.
I risultati chiave includono:
- Il 50% degli sviluppatori ha riscontrato un aumento significativo delle ore settimanali dedicate ai compiti di sicurezza
- Gli sviluppatori dedicano in media 3,5 ore a rivedere manualmente i risultati delle scansioni di sicurezza
- Il 69% degli sviluppatori concorda sul fatto che le responsabilità di sicurezza richiedono frequenti cambi di contesto tra gli strumenti
- Gli sviluppatori dedicano il 50% del loro tempo a comprendere e affrontare i risultati delle scansioni dei segreti
- Solo il 23% degli sviluppatori esegue scansioni di testing della sicurezza delle applicazioni statiche (SAST) prima di distribuire il codice in produzione
L'indagine sottolinea la necessità di semplificare i processi di sicurezza, gli strumenti e la formazione per migliorare l'efficienza e l'efficacia nella protezione della catena di fornitura del software.
JFrog (Nasdaq: FROG) publicó los resultados de una encuesta de IDC que revela los significativos costos de tiempo y financieros asociados con las tareas de seguridad del software para los desarrolladores. El estudio, titulado 'El Costo Oculto del DevSecOps: Una Evaluación del Tiempo de un Desarrollador', muestra que las empresas gastan un promedio de $28,000 por desarrollador anualmente en tareas relacionadas con la seguridad.
Los hallazgos clave incluyen:
- El 50% de los desarrolladores experimentó un aumento significativo en las horas semanales dedicadas a tareas de seguridad
- Los desarrolladores pasan un promedio de 3.5 horas revisando manualmente los resultados de las pruebas de seguridad
- El 69% de los desarrolladores está de acuerdo en que las responsabilidades de seguridad requieren cambios de contexto frecuentes entre herramientas
- Los desarrolladores dedican el 50% de su tiempo a entender y abordar los resultados de escaneo de secretos
- Solo el 23% de los desarrolladores realiza escaneos de pruebas de seguridad de aplicaciones estáticas (SAST) antes de implementar código en producción
La encuesta enfatiza la necesidad de procesos de seguridad, herramientas y capacitación más eficientes para mejorar la eficacia y eficiencia en la protección de la cadena de suministro de software.
JFrog (Nasdaq: FROG)는 개발자의 소프트웨어 보안 작업과 관련된 상당한 시간 및 재정 비용을 밝혀낸 IDC 설문의 결과를 발표했습니다. 'DevSecOps의 숨겨진 비용: 개발자의 시간 평가'라는 제목의 연구에서 기업은 보안 관련 작업에 대해 연간 $28,000 per 개발자를 평균적으로 지출한다는 것을 보여줍니다.
주요 결과는 다음과 같습니다:
- 50%의 개발자가 보안 작업에 소요되는 주간 시간이 크게 증가했다고 답했습니다.
- 개발자는 보안 스캔 결과를 수동으로 검토하는 데 평균 3.5시간을 소모합니다.
- 69%의 개발자가 보안 책임을 수행하기 위해 도구 간 빈번한 전환이 필요하다고 동의합니다.
- 개발자는 비밀 스캔 결과를 이해하고 해결하는 데 50%의 시간을 할애합니다.
- 개발자의 단 23%만이 코드를 배포하기 전에 정적 애플리케이션 보안 테스트(SAST) 스캔을 수행합니다.
이번 설문조사는 소프트웨어 공급망 보호의 효율성과 효과성을 개선하기 위해 간소화된 보안 프로세스, 도구 및 교육의 필요성을 강조합니다.
JFrog (Nasdaq: FROG) a publié les résultats d'une enquête IDC révélant des coûts temporels et financiers significatifs associés aux tâches de sécurité logicielle pour les développeurs. L'étude, intitulée 'Le Coût Caché du DevSecOps : une Évaluation du Temps des Développeurs', montre que les entreprises dépensent en moyenne 28 000 $ par développeur et par an pour des tâches liées à la sécurité.
Les conclusions clés incluent :
- 50 % des développeurs ont constaté une augmentation significative des heures hebdomadaires consacrées aux tâches de sécurité
- Les développeurs passent en moyenne 3,5 heures à examiner manuellement les résultats des analyses de sécurité
- 69 % des développeurs conviennent que les responsabilités de sécurité nécessitent un changement fréquent de contexte entre les outils
- Les développeurs consacrent 50 % de leur temps à comprendre et à traiter les résultats des analyses de secrets
- Seulement 23 % des développeurs effectuent des tests de sécurité d'applications statiques (SAST) avant de déployer du code en production
L'enquête souligne la nécessité de rationaliser les processus de sécurité, les outils et la formation pour améliorer l'efficacité et l'efficience dans la protection de la chaîne d'approvisionnement des logiciels.
JFrog (Nasdaq: FROG) veröffentlichte die Ergebnisse einer IDC-Umfrage, die erhebliche Zeit- und Finanzkosten im Zusammenhang mit Sicherheitsaufgaben für Entwickler aufdeckt. Die Studie mit dem Titel 'Die verborgenen Kosten von DevSecOps: Eine Zeitbewertung für Entwickler' zeigt, dass Unternehmen im Durchschnitt $28.000 pro Entwickler und Jahr für sicherheitsrelevante Aufgaben ausgeben.
Wesentliche Ergebnisse sind:
- 50% der Entwickler berichteten von einem signifikanten Anstieg der wöchentlichen Stunden, die für Sicherheitsaufgaben aufgewendet werden
- Entwickler verbringen im Durchschnitt 3,5 Stunden mit der manuellen Überprüfung von Sicherheitsscannergebnissen
- 69% der Entwickler stimmen zu, dass Sicherheitsverantwortlichkeiten häufiges Umschalten zwischen verschiedenen Tools erfordern
- Entwickler widmen 50% ihrer Zeit dem Verständnis und der Bearbeitung von Ergebnissen aus der Geheimnisscannerprüfung
- Nur 23% der Entwickler führen vor der Bereitstellung von Code in Produktion statische Anwendungssicherheitstests (SAST) durch
Die Umfrage betont die Notwendigkeit für optimierte Sicherheitsprozesse, Werkzeuge und Schulungen, um die Effizienz und Effektivität beim Schutz der Software-Lieferkette zu verbessern.
- JFrog's sponsored IDC study provides valuable insights into DevSecOps challenges and costs
- The study highlights the growing importance of software security in the development process
- Findings may drive increased demand for JFrog's Software Supply Chain Platform and security solutions
- Increased time spent on security tasks may slow down development and innovation processes
- High costs associated with security-related tasks ($28,000 per developer annually) may impact company budgets
- Inefficiencies in current security processes and tools may lead to increased risks and vulnerabilities
Insights
1. Market Opportunity: There's a clear need for more efficient DevSecOps tools, which aligns with JFrog's product offerings. This could drive increased demand for their Software Supply Chain Platform.
2. Competitive Advantage: Companies that can streamline security processes may gain a significant edge. JFrog's focus on this area could strengthen its market position.
3. Industry Trends: The shift towards increased security focus in development processes indicates a long-term trend that could shape future software development practices and tools.
4. Potential Growth: As companies recognize these hidden costs, they may increase investments in DevSecOps solutions, potentially benefiting JFrog's revenue streams.
1. Time Drain: Developers spend
2. False Positives: An average of 3.5 hours per week is wasted on manual reviews due to inaccurate scanning results.
3. Context Switching:
4. Secrets Management: Half of security-related time is spent on secrets scanning and remediation, indicating a significant challenge in this area.
5. SAST Underutilization: Only
These findings underscore the need for more integrated, accurate and automated DevSecOps solutions, which aligns with JFrog's product strategy and market positioning.
Titled the "Hidden Costs of DevSecOps," the IDC InfoBrief Reveals Companies Spend an Average of $28K Per Developer Annually on Identifying, Evaluating, and Addressing Software Security Concerns
New IDC InfoBrief Shows Growing Developer Focus on Software Security, Impacting Companies’ Competitive Advantage (Graphic: Business Wire)
"Securing the software supply chain already poses significant challenges for organizations, but it becomes more complex when multiple tools are used, forcing developers to toggle between multiple environments, leading to inefficiencies, wasted time, and increased risk,” said Asaf Karas, CTO of JFrog Security. “IDC’s survey creates a compelling case for companies to invest in streamlined security processes, tooling and training, to empower their developers to be more efficient and effective in protecting the software supply chain.”
Half of survey respondents said they spend an estimated
- Chasing Ghosts: Eliminating False Positives: Developers spend 3.5 hours on average manually reviewing security scanning findings because of false positives and duplicates.
-
Context Matters:
69% of developers agree or strongly agree that their security-related responsibilities require them to frequently switch contexts between various tools, slowing efficiency. Multitool context switching can also increase token usage for bypassing reauthentication per platform. Tokens can be helpful in application development but can also be quickly forgotten and leave backdoors in companies’ systems for attacks. -
Secrets are No Fun: Developers devote
50% of their time to understanding and interpreting secrets scanning results, making changes to code to remediate findings, and updating secrets management measures. -
Infrastructure Investigation: Infrastructure-as-Code (IaC) – used to automate the provisioning and management of IT infrastructure, such as servers, networking, operating systems, and storage – must be scanned every time code changes, with more than
54% of developers saying they run IaC scans weekly or monthly. -
SAST Isn’t a Blast: Despite static application security testing (SAST) tools being integrated to local development environments to provide findings as developers code, only
23% of developers are running SAST scans before deploying code into production, leaving a huge gap for malicious code to slip through.
"DevSecOps is not just a business imperative; it is the cornerstone of building the secure applications of the future. However, a significant challenge lies in overcoming inefficient, poorly implemented tools that squander developers’ time and inflate costs,” said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. “To be successful, IT and software development team leaders must automate repetitive and time-consuming tasks, ensure DevSecOps tools deliver accuracy with minimal false positives, and provide ongoing access for developers to application security education and resources so they can keep pace with a rapidly increasing threat landscape."
The IDC InfoBrief surveyed senior developers, team leaders, product owners and development managers from companies in 20+ industries with 1K+ employees across the
Like this story? Tweet this: New @IDC survey finds that developers severely underestimate the time they spend performing #DevSecOps tasks, leading to hidden costs for their organizations. Read the full report: https://bit.ly/4feUtjl #DevOps #security #MLOps #softwaresupplychain
About JFrog
JFrog Ltd. (Nasdaq: FROG), is on a mission to create a world of software delivered without friction from developer to device. Driven by a “Liquid Software” vision, the JFrog Software Supply Chain Platform is a single system of record that powers organizations to build, manage, and distribute software quickly and securely, ensuring it is available, traceable, and tamper-proof. The integrated security features also help identify, protect, and remediate against threats and vulnerabilities. JFrog’s hybrid, universal, multi-cloud platform is available as both self-hosted and SaaS services across major cloud service providers. Millions of users and 7K+ customers worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation. Learn more at www.jfrog.com or follow us on X @JFrog.
View source version on businesswire.com: https://www.businesswire.com/news/home/20241009432650/en/
Media Contact:
Siobhan Lyons, Sr. Manager, Global Communications, JFrog, siobhanL@jfrog.com
Investor Contact:
Jeff Schreiner, VP of Investor Relations, JFrog, jeffS@jfrog.com
Source: JFrog Ltd.
FAQ
How much do companies spend annually per developer on security-related tasks according to the JFrog-sponsored IDC study?
What percentage of developers experienced an increase in time spent on security tasks, as reported in the JFrog (FROG) IDC study?
How many hours do developers spend on average reviewing security scanning findings, according to the JFrog (FROG) sponsored IDC survey?
What percentage of developers run SAST scans before deploying code to production, as reported in the JFrog (FROG) IDC study?
