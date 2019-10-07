The problem of not testing and not doing anything about known vulnerabilities is almost always tied to pressure to decrease time to value. Almost half (48%) of developers say they don't have enough time to spend on security (2018 DevSecOps Community Survey). Other surveys concur; there is incredible pressure on developers to churn out code faster and more frequently. It turns out that security continues to be the 'thing' that's dropped when speed is on the line whether in the data or delivery path.

It's well established that people work toward what they're measured on. And as developers are people, that means they are subject to that rule, too. If they're measured on quickly getting to market, they're going to work toward that - even if it means skipping steps that compromise security. If we're going to deliver secure applications to market, we need to embrace a cultural shift that measures and values securely getting to market as much as it does quickly getting to market.

Until it does, we're just as safe relying on red and blue lasers to deal with vulnerabilities as we are on developers.