Op-Ed: Addressing systemic security flaws in modern software development

However, this disconnect also presents a strategic opportunity for organisations. DevSecOps can bridge the gap between engineering and security teams to address the technical hurdles and the perception issues that contribute to their friction. By integrating security throughout the software development life cycle, organisations can transform these challenges into competitive advantages.

Break the cycle of endless scanning

Vulnerability scanning surfaces countless potential vulnerabilities, but many common vulnerabilities or exposures (CVEs) are not exploitable in production environments. This reality creates a burden on security teams and developers who waste precious resources triaging and filtering through an ever-growing volume of vulnerability findings – a problem that has intensified since authenticated vulnerability scanning became the norm.

While the move to authenticated scanning has strengthened security programs in many ways, it has also trapped developers in an exhausting cycle of addressing low-risk issues that may never pose actual threats – often at the expense of more critical tasks, such as addressing genuinely exploitable vulnerabilities.

VIEW ALL

This misalignment of priorities contributes to the division between security and engineering teams. Organisations must break this cycle to improve collaboration between teams. Here are three strategic approaches to address common security frustrations and foster cross-functional partnerships.

1. Cut through the noise with high-fidelity insights

Too many false positives ranked as the second-most significant frustration identified by security respondents in our survey. False positives are a challenge, but they are often a vulnerability management problem in disguise.

Organisations experiencing excessive false positives have not usually optimised their security tooling for high-fidelity results. Security teams should sharpen their focus on what genuinely matters. That means traditional static application security testing (SAST) solutions are likely insufficient. SAST is a powerful tool, but it loses much of its value if the results are unmanageable or lack appropriate context. For SAST to be most effective, it must integrate seamlessly with other security and development tools and be accessible to developers.

Most scanning tools also suffer from a limited context window for understanding vulnerability findings. This represents an area where AI can be particularly helpful, with features that can analyse code, clearly explain security vulnerabilities, and reduce false positives by understanding application context and behaviour patterns.

2. Reduce toolchain sprawl to reduce risk

Staying focused on what matters doesn’t just apply to security testing - it should start with how an organisation builds software in the first place.

Although AI promises to help simplify software development processes, many organisations still have a long road ahead. In fact, respondents who are using AI were significantly more likely than those not using AI to want to consolidate their toolchain, suggesting that the proliferation of different point solutions running different AI models could be adding complexity, not taking it away.

The ever-increasing complexity of organisations’ tech stacks is a major contributor to security frustrations. GitLab’s survey found that 73 per cent of Australian professionals working in DevSecOps use between two and 10 tools for software development, and half want to consolidate their toolchain. While some complexity is unavoidable when building large, multifaceted software systems. However, organisations should take steps to avoid complexity resulting from suboptimal design decisions, such as difficult-to-maintain code and redundant dependencies. This unnecessary complexity creates a larger attack surface and generates more security scan findings for teams to sort through, prioritise, and address.

Organisations should approach development through the lens of software minimisation – being intentional about the tools they adopt and what they decide to build into their codebases. This will help minimise dependencies, improve the security of the software supply chain, reduce scanner noise, and ease the burden on developers to fix non-critical issues.

3. Adopt proven design patterns

Security testing happening too late in the software development life cycle was another one of the top frustrations identified by our survey respondents. Teams might be frustrated when they want to ship something and it gets delayed because a vulnerability is detected late – but in many cases, it might not have been possible to detect that vulnerability any earlier. What is possible, however, is operationalising easily deployable, reusable security components, limiting the variables and potential vulnerabilities.

Teams can avoid late-stage surprises by embracing tested and assured design patterns based on repeatable use cases: the “paved roads” approach. A paved road is a recommended path, including a curated set of tools, processes, and components, that teams can follow to build secure applications more efficiently – for example, using GitOps to version and deploy well-architected and tested infrastructure as code that deploys at scale for all workloads.

Adopting paved roads potentially removes some flexibility but ultimately reduces the operational burden and rework on engineering teams and increases security. This needs to be a collaborative effort between security and development. Security can help to design paved roads, but engineering has to be involved to operate and maintain them as part of the codebase.

Security as a collective practice

The boundaries between security and engineering are becoming less defined as security practices become increasingly embedded within development workflows. However, with the rapid adoption of AI and the corresponding acceleration of software development – 65 per cent of GitLab’s survey respondents in Australia said they are releasing software twice as fast or faster than last year – establishing systems and frameworks that maximise security benefits will be essential.

For example, Australian real estate leader Lendlease has demonstrated the power of this approach. By equipping developers with a unified DevSecOps platform that embeds security from the earliest stages of development, they have accelerated software deployment while strengthening their security posture. This approach delivers enhanced visibility, fosters collaboration, and eliminates late-stage security delays.

Closing the cultural divide between security and development teams is only the first step. True security transformation requires these teams to rethink the fundamentals of software development – optimising existing codebases and building scalable engineering-centric solutions that seamlessly integrate across the entire organisation. This approach is essential to ensuring security can keep pace with the remarkable speed of modern software development.