Parasoft announces the opening of its new office in Northeast Ohio.
Does DevSecOps Deliver on Application Security? Survey Says … Yes
November 27, 2023
You can't open a browser these days without reading another story about a ransomware attack or a newly discovered software vulnerability putting thousands at risk. There's no shortage of such incidents, and while fingers will always find a target to point at, there's plenty of blame to go around. In fact, recent research conducted by ESG and sponsored by Mend.io found just 52% of companies can effectively remediate a critical vulnerability — and even fewer (42%) are confident in their ability to manage the security and compliance risks associated with open-source software.
Frankly, that's alarming. And it begs lots of questions about the challenges those organizations are facing. What I find more interesting is the other 48% — the organizations that can effectively remediate a critical vulnerability. What are they doing right that others can learn from?
It turns out, they're embracing DevOps with arms wide open. The research revealed organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to have extensively embraced DevOps (46% vs. 20%).
Use DevSecOps Tools and Processes to Automate Security Checks
We know DevOps brings tremendous benefits and efficiencies to the development process, so it stands to reason incorporating security into DevOps processes and developer workflows should have a similar impact on remediation. The research corroborates that theory, finding that organizations able to keep pace with vulnerabilities are 3.3x more likely to have extensively incorporated security into development processes.
These high functioning security organizations have incorporated application security practices into DevOps with an eye toward automating security checks. In the examples below, you'll see how organizations that effectively remediate vulnerabilities (first number) compare against those who cannot remediate effectively (second number).
■ Automate the identification and remediation of configuration and software vulnerabilities before deployment to production (78% versus 61%).
■ Apply runtime API security controls (79% versus 58%).
■ Automate the identification and remediation of configuration and software vulnerabilities before deployment to production more often (78% versus 61%).
■ Discover and inspect APIs in source code (72% versus 61%).
■ Apply runtime threat prevention controls (e.g., anti-malware, application control, virtual patching, intrusion prevention, 73% versus 62%).
■ Log all changes for compliance audits (i.e., compliance-as-code, 70% versus 51%).
■ Apply dependency management for open source components (64% versus 54%).
■ Use software composition analysis (SCA) tools to inventory and audit third-party software components to identify and remediate vulnerabilities (60% versus 44%)
Shift Left, Collaborate, and Listen
In the past, with monolithic applications and waterfall development processes, security teams held responsibility for testing, finding, and remediating security issues. However, as more security practices are integrated with modern DevOps processes, it's no surprise the onus for application security is falling on developers. Indeed, 49% of organizations are putting all or most of the responsibility of their application security on their developers. But that's not necessarily a bad thing, as the data also points to developer accountability driving stronger collaboration between these groups.
For organizations efficient at remediation, the research found more than half (52%) encourage collaboration between development, security, and operations. And the earlier collaboration starts in the software development lifecycle (SDLC), the better. Organizations that began collaboration during the "requirements and design" phase reported a lower average of 2.3 serious security incidents, compared with 3.2 incidents experienced by organizations that engaged in collaboration later in the SDLC. From this, we can conclude early-stage teamwork can bolster security measures and minimize vulnerability-related risks.
Why It Matters
When it comes to application security, organizations only care about one thing: decreasing or eliminating security incident rates. Companies that can keep up with critical vulnerabilities succeed with the ultimate KPI for application security programs: lower security incident rates. These organizations were nearly twice as likely to say they have not experienced any serious security incidents tied to a software vulnerability/web application exploit internally developed applications over the last 12 months. Examining the characteristics and experiences of those organizations that can remediate vulnerabilities effectively, it's pretty clear that DevSecOps delivers what matters.
Industry News
May 02, 2024
Postman released v11, a significant update that speeds up development by reducing collaboration friction on APIs.
May 02, 2024
Sysdig announced the launch of the company’s Runtime Insights Partner Ecosystem, recognizing the leading security solutions that combine with Sysdig to help customers prioritize and respond to critical security risks.
May 02, 2024
Nokod Security announced the general availability of the Nokod Security Platform.
May 02, 2024
Drata has acquired oak9, a cloud native security platform, and released a new capability in beta to seamlessly bring continuous compliance into the software development lifecycle.
May 01, 2024
Amazon Web Services (AWS) announced the general availability of Amazon Q, a generative artificial intelligence (AI)-powered assistant for accelerating software development and leveraging companies’ internal data.
May 01, 2024
Red Hat announced the general availability of Red Hat Enterprise Linux 9.4, the latest version of the enterprise Linux platform.
May 01, 2024
ActiveState unveiled Get Current, Stay Current (GCSC) – a continuous code refactoring service that deals with breaking changes so enterprises can stay current with the pace of open source.
May 01, 2024
Lineaje released Open-Source Manager (OSM), a solution to bring transparency to open-source software components in applications and proactively manage and mitigate associated risks.
May 01, 2024
Synopsys announced the availability of Polaris Assist, an AI-powered application security assistant on the Synopsys Polaris Software Integrity Platform®.
April 30, 2024
Backslash Security announced the findings of its GPT-4 developer simulation exercise, designed and conducted by the Backslash Research Team, to identify security issues associated with LLM-generated code. The Backslash platform offers several core capabilities that address growing security concerns around AI-generated code, including open source code reachability analysis and phantom package visibility capabilities.
April 30, 2024
Azul announced that Azul Intelligence Cloud, Azul’s cloud analytics solution -- which provides actionable intelligence from production Java runtime data to dramatically boost developer productivity -- now supports Oracle JDK and any OpenJDK-based JVM (Java Virtual Machine) from any vendor or distribution.
April 30, 2024
F5 announced new security offerings: F5 Distributed Cloud Services Web Application Scanning, BIG-IP Next Web Application Firewall (WAF), and NGINX App Protect for open source deployments.
April 29, 2024
Code Intelligence announced a new feature to CI Sense, a scalable fuzzing platform for continuous testing.
April 29, 2024
WSO2 is adding new capabilities for WSO2 API Manager, WSO2 API Platform for Kubernetes (WSO2 APK), and WSO2 Micro Integrator.
