Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).
Does DevSecOps Deliver on Application Security? Survey Says … Yes
November 27, 2023
You can't open a browser these days without reading another story about a ransomware attack or a newly discovered software vulnerability putting thousands at risk. There's no shortage of such incidents, and while fingers will always find a target to point at, there's plenty of blame to go around. In fact, recent research conducted by ESG and sponsored by Mend.io found just 52% of companies can effectively remediate a critical vulnerability — and even fewer (42%) are confident in their ability to manage the security and compliance risks associated with open-source software.
Frankly, that's alarming. And it begs lots of questions about the challenges those organizations are facing. What I find more interesting is the other 48% — the organizations that can effectively remediate a critical vulnerability. What are they doing right that others can learn from?
It turns out, they're embracing DevOps with arms wide open. The research revealed organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to have extensively embraced DevOps (46% vs. 20%).
Use DevSecOps Tools and Processes to Automate Security Checks
We know DevOps brings tremendous benefits and efficiencies to the development process, so it stands to reason incorporating security into DevOps processes and developer workflows should have a similar impact on remediation. The research corroborates that theory, finding that organizations able to keep pace with vulnerabilities are 3.3x more likely to have extensively incorporated security into development processes.
These high functioning security organizations have incorporated application security practices into DevOps with an eye toward automating security checks. In the examples below, you'll see how organizations that effectively remediate vulnerabilities (first number) compare against those who cannot remediate effectively (second number).
■ Automate the identification and remediation of configuration and software vulnerabilities before deployment to production (78% versus 61%).
■ Apply runtime API security controls (79% versus 58%).
■ Automate the identification and remediation of configuration and software vulnerabilities before deployment to production more often (78% versus 61%).
■ Discover and inspect APIs in source code (72% versus 61%).
■ Apply runtime threat prevention controls (e.g., anti-malware, application control, virtual patching, intrusion prevention, 73% versus 62%).
■ Log all changes for compliance audits (i.e., compliance-as-code, 70% versus 51%).
■ Apply dependency management for open source components (64% versus 54%).
■ Use software composition analysis (SCA) tools to inventory and audit third-party software components to identify and remediate vulnerabilities (60% versus 44%)
Shift Left, Collaborate, and Listen
In the past, with monolithic applications and waterfall development processes, security teams held responsibility for testing, finding, and remediating security issues. However, as more security practices are integrated with modern DevOps processes, it's no surprise the onus for application security is falling on developers. Indeed, 49% of organizations are putting all or most of the responsibility of their application security on their developers. But that's not necessarily a bad thing, as the data also points to developer accountability driving stronger collaboration between these groups.
For organizations efficient at remediation, the research found more than half (52%) encourage collaboration between development, security, and operations. And the earlier collaboration starts in the software development lifecycle (SDLC), the better. Organizations that began collaboration during the "requirements and design" phase reported a lower average of 2.3 serious security incidents, compared with 3.2 incidents experienced by organizations that engaged in collaboration later in the SDLC. From this, we can conclude early-stage teamwork can bolster security measures and minimize vulnerability-related risks.
Why It Matters
When it comes to application security, organizations only care about one thing: decreasing or eliminating security incident rates. Companies that can keep up with critical vulnerabilities succeed with the ultimate KPI for application security programs: lower security incident rates. These organizations were nearly twice as likely to say they have not experienced any serious security incidents tied to a software vulnerability/web application exploit internally developed applications over the last 12 months. Examining the characteristics and experiences of those organizations that can remediate vulnerabilities effectively, it's pretty clear that DevSecOps delivers what matters.
Industry News
December 19, 2024
December 19, 2024
Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.
December 18, 2024
Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.
December 18, 2024
Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.
December 17, 2024
Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.
December 17, 2024
Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.
December 17, 2024
Kindo formally launched its channel partner program.
December 16, 2024
Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.
December 16, 2024
Fastly announced the general availability of Fastly AI Accelerator.
December 12, 2024
Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.
December 12, 2024
vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.
December 11, 2024
Check Point® Software Technologies Ltd. announced that Infinity XDR/XPR achieved a 100% detection rate in the rigorous 2024 MITRE ATT&CK® Evaluations.
December 11, 2024
CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.
December 11, 2024
Grid Dynamics announced the launch of its developer portal.
December 10, 2024
LTIMindtree announced a strategic partnership with GitHub.
