DEVOPSdigest

You can't open a browser these days without reading another story about a ransomware attack or a newly discovered software vulnerability putting thousands at risk. There's no shortage of such incidents, and while fingers will always find a target to point at, there's plenty of blame to go around. In fact, recent research conducted by ESG and sponsored by Mend.io found just 52% of companies can effectively remediate a critical vulnerability — and even fewer (42%) are confident in their ability to manage the security and compliance risks associated with open-source software.

Frankly, that's alarming. And it begs lots of questions about the challenges those organizations are facing. What I find more interesting is the other 48% — the organizations that can effectively remediate a critical vulnerability. What are they doing right that others can learn from?

It turns out, they're embracing DevOps with arms wide open. The research revealed organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to have extensively embraced DevOps (46% vs. 20%).

Use DevSecOps Tools and Processes to Automate Security Checks

We know DevOps brings tremendous benefits and efficiencies to the development process, so it stands to reason incorporating security into DevOps processes and developer workflows should have a similar impact on remediation. The research corroborates that theory, finding that organizations able to keep pace with vulnerabilities are 3.3x more likely to have extensively incorporated security into development processes.

These high functioning security organizations have incorporated application security practices into DevOps with an eye toward automating security checks. In the examples below, you'll see how organizations that effectively remediate vulnerabilities (first number) compare against those who cannot remediate effectively (second number).

■ Automate the identification and remediation of configuration and software vulnerabilities before deployment to production (78% versus 61%).

■ Apply runtime API security controls (79% versus 58%).

■ Automate the identification and remediation of configuration and software vulnerabilities before deployment to production more often (78% versus 61%).

■ Discover and inspect APIs in source code (72% versus 61%).

■ Apply runtime threat prevention controls (e.g., anti-malware, application control, virtual patching, intrusion prevention, 73% versus 62%).

■ Log all changes for compliance audits (i.e., compliance-as-code, 70% versus 51%).

■ Apply dependency management for open source components (64% versus 54%).

■ Use software composition analysis (SCA) tools to inventory and audit third-party software components to identify and remediate vulnerabilities (60% versus 44%)

Shift Left, Collaborate, and Listen

In the past, with monolithic applications and waterfall development processes, security teams held responsibility for testing, finding, and remediating security issues. However, as more security practices are integrated with modern DevOps processes, it's no surprise the onus for application security is falling on developers. Indeed, 49% of organizations are putting all or most of the responsibility of their application security on their developers. But that's not necessarily a bad thing, as the data also points to developer accountability driving stronger collaboration between these groups.

For organizations efficient at remediation, the research found more than half (52%) encourage collaboration between development, security, and operations. And the earlier collaboration starts in the software development lifecycle (SDLC), the better. Organizations that began collaboration during the "requirements and design" phase reported a lower average of 2.3 serious security incidents, compared with 3.2 incidents experienced by organizations that engaged in collaboration later in the SDLC. From this, we can conclude early-stage teamwork can bolster security measures and minimize vulnerability-related risks.

Why It Matters

When it comes to application security, organizations only care about one thing: decreasing or eliminating security incident rates. Companies that can keep up with critical vulnerabilities succeed with the ultimate KPI for application security programs: lower security incident rates. These organizations were nearly twice as likely to say they have not experienced any serious security incidents tied to a software vulnerability/web application exploit internally developed applications over the last 12 months. Examining the characteristics and experiences of those organizations that can remediate vulnerabilities effectively, it's pretty clear that DevSecOps delivers what matters.