• Home
  • Blog
  • DevSecOps
  • Guest Blog: The Need to Close the Cultural Divide Between Application Security and Developers

Guest Blog: The Need to Close the Cultural Divide Between Application Security and Developers


Publish Date

Sep 23, 2020

Written by


Tagged with

  • DevSecOps
  • Secure DevOps
  • Ponemon

In this guest blog post, Dr. Larry Ponemon and Susan Jayson of Ponemon Institute discuss the findings of their recent research study, “Revealing the Cultural Divide Between Application Security and Development,” sponsored by ZeroNorth. 

A security risk that many organizations are not dealing with is the cultural divide between application security and developers. In this research sponsored by ZeroNorth, we refer to the cultural divide as when AppSec and developers lack a common vision for delivering software capabilities required by the business—securely. As a result, AppSec and developers are less likely to work effectively as a team and achieve the goals of building and delivering code in a timely manner with security integrated throughout the application development process.

Ponemon Institute surveyed 581 security practitioners who are involved in and knowledgeable about their organization’s software application security activities and 549 who are involved in and knowledgeable about their organization’s software application development process.

Following are findings that reveal why the cultural divide exists and its effect on the security of applications

  • Who is responsible for the security of applications? Developer and AppSec respondents don’t agree on which function is ultimately responsible for the security of applications. Only 39 percent of developer respondents say the security team is ultimately responsible for application security. In contrast, 67 percent of AppSec say their teams are responsible. This lack of alignment demonstrates the potential for security to simply fall through the cracks if ownership is not clearly understood.
  • AppSec and developer respondents admit working together is difficult. AppSec respondents say it’s because the developers publish code with known vulnerabilities. They also believe developers will accept flaws if they believe the application will be a big seller. Developers say security does not understand the pressure they have to meet their deadlines. Developers also believe working with the AppSec team stifles their ability to innovate. It’s clear that today, priorities, goals and objectives across these two teams are not aligned and this disconnect drives a wedge between the functions.
  • Now more than ever AppSec and developers need to work as a team. Digital transformation is putting pressure on organizations to develop applications at increasing speeds, potentially putting their security at risk. Sixty-five percent of developer respondents say they feel the pressure to develop applications faster than before digital transformation. Fifty percent of AppSec respondents agree.
  • AppSec respondents see serious problems with application security practices in their organization. Seventy-one percent of AppSec respondents say the state of security is undermined by developers who don’t care about the need to secure applications early in the SDLC. Sixty-nine percent of AppSec respondents say developers do not have visibility into the overall state of application security. As evidence of the tension between security and developers, 53 percent of AppSec respondents say developers view security as a hindrance to releasing new applications. Here again, competing priorities—speed for developers, security for AppSec—are often at odds.
  • Security respondents and developers disagree on whether the application security risk is increasing. Only 35 percent of developer respondents say application security risk in the organization is significantly increasing or increasing. In contrast, 60 percent of AppSec respondents say application security risk is increasing. This raises a question: which teams have clear visibility into the security posture of an application throughout its lifecycle?


As shown in this research, technology alone cannot bridge the cultural divide. Rather, senior leadership needs to understand the serious risks to business-critical applications as a result of admissions in this research by AppSec and developers that working together is very difficult.  A first step to closing the cultural divide is for senior leadership to create a culture that encourages teamwork, collaboration and accountability.

We hope you will download the full report and look forward to your comments.

Warmest regards,
Dr. Larry Ponemon & Susan Jayson

eBooks & Research Reports

Research Report: The Journey to True DevSecOps

Many questions emerge as the topic of DevSecOps is volleyed about. First, confusion exists in terms of understanding what it actually means to get to true ...

Read Now


Application Security: Bridging the Gap Between DevOps and Security Teams

When AppSec and DevOps teams aren’t aligned on how to deliver secure software, fast, organizations are at risk. This video discusses how to tackle this challenge ...

Watch Now

Related Articles


When DevOps as a Service Meets Security

By Joanne Godfrey Jul 20, 2021

DevOps is one of the latest IT methodologies to be offered ‘as a Service’. With DevOps as a Service (DaaS), all tasks related to selecting, managing ...

Read More

Vulnerability Correlation

What is Application Vulnerability Correlation and Why Does it Matter?

By ZeroNorth May 28, 2021

As applications become more complex, and attack vectors grow more sophisticated, the critical importance of comprehensive software security testing emerges. These days, application testing has become ...

Read More

The ZeroNorth DevSecOps platform offers options for your DevSecOps journey—getting started with AppSec, finding enterprise visibility or fully integrating security into DevOps.