An IDC report sponsored by JFrog has identified a lack of devsecops security knowledge as a key organisational concern.
One implication is that organisations may delay devsecops plans, the report suggested.
“IDC’s research finds developer security knowledge to be the top organisational concern regarding devsecops adoption,” the related report said.
At the same time, 33% of the developers surveyed spent 4.4 hours a month or less doing security training. That’s less than an hour a week, JFrog pointed out.
Developers often have to multi-task too, increasing cognitive challenge. For example, 69% of developers agreed or “strongly” agreed their security-related responsibilities require frequent switches of context.
IDC surveyed 210 development team leaders, managers and product owners across Europe and the USA. In summary, the polling asked how spending time on on devsecops and security tasks affected developers and the business.
“The average organisation spends more than $28,100 (£20,810) per developer per year for time spent on security-related tasks,” the report said.
At the time, half of the surveyed developers suggested they’d spent more hours on security tasks in the past year.
This came to 1.8 extra hours on security each week. But security tasks already ate up 19% of their time on average, the report said.
Required devsecops security knowledge
In addition, many likely weren’t keeping up. For instance, fewer than 25% of respondents ran secrets scans as part of every code review or code change.
Developers scanned for secrets most often during development against source code. Half did so no more than weekly, with many scanning for secrets less often than that, the report added.
Typically, half of their secret-scanning time was taken up by interpretation, remediation and secrets solution or vault updates, it said.
JFrog sells a software supply chain platform for devops, building, managing, and distributing software. Its security features include vulnerability contextual analysis, static application security testing (SAST) source code scanning, and security exposure scanning.
The platform can find and fix configuration issues in common OSS libraries and services. For instance, problems with privileges, communication methods, authorisation mechanisms, and cryptographic operations, according to the vendor.
In addition, JFrog recently signed a deal with Nvidia around agentic AI enablement.
