Parasoft(link is external) is showcasing its latest product innovations at embedded world Exhibition, booth 4-318(link is external), including new GenAI integration with Microsoft Visual Studio Code (VS Code) to optimize test automation of safety-critical applications while reducing development time, cost, and risk.
Does DevSecOps Deliver on Application Security? Survey Says … Yes
November 27, 2023
You can't open a browser these days without reading another story about a ransomware attack or a newly discovered software vulnerability putting thousands at risk. There's no shortage of such incidents, and while fingers will always find a target to point at, there's plenty of blame to go around. In fact, recent research conducted by ESG and sponsored by Mend.io found just 52% of companies can effectively remediate a critical vulnerability — and even fewer (42%) are confident in their ability to manage the security and compliance risks associated with open-source software.
Frankly, that's alarming. And it begs lots of questions about the challenges those organizations are facing. What I find more interesting is the other 48% — the organizations that can effectively remediate a critical vulnerability. What are they doing right that others can learn from?
It turns out, they're embracing DevOps with arms wide open. The research revealed organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to have extensively embraced DevOps (46% vs. 20%).
Use DevSecOps Tools and Processes to Automate Security Checks
We know DevOps brings tremendous benefits and efficiencies to the development process, so it stands to reason incorporating security into DevOps processes and developer workflows should have a similar impact on remediation. The research corroborates that theory, finding that organizations able to keep pace with vulnerabilities are 3.3x more likely to have extensively incorporated security into development processes.
These high functioning security organizations have incorporated application security practices into DevOps with an eye toward automating security checks. In the examples below, you'll see how organizations that effectively remediate vulnerabilities (first number) compare against those who cannot remediate effectively (second number).
■ Automate the identification and remediation of configuration and software vulnerabilities before deployment to production (78% versus 61%).
■ Apply runtime API security controls (79% versus 58%).
■ Automate the identification and remediation of configuration and software vulnerabilities before deployment to production more often (78% versus 61%).
■ Discover and inspect APIs in source code (72% versus 61%).
■ Apply runtime threat prevention controls (e.g., anti-malware, application control, virtual patching, intrusion prevention, 73% versus 62%).
■ Log all changes for compliance audits (i.e., compliance-as-code, 70% versus 51%).
■ Apply dependency management for open source components (64% versus 54%).
■ Use software composition analysis (SCA) tools to inventory and audit third-party software components to identify and remediate vulnerabilities (60% versus 44%)
Shift Left, Collaborate, and Listen
In the past, with monolithic applications and waterfall development processes, security teams held responsibility for testing, finding, and remediating security issues. However, as more security practices are integrated with modern DevOps processes, it's no surprise the onus for application security is falling on developers. Indeed, 49% of organizations are putting all or most of the responsibility of their application security on their developers. But that's not necessarily a bad thing, as the data also points to developer accountability driving stronger collaboration between these groups.
For organizations efficient at remediation, the research found more than half (52%) encourage collaboration between development, security, and operations. And the earlier collaboration starts in the software development lifecycle (SDLC), the better. Organizations that began collaboration during the "requirements and design" phase reported a lower average of 2.3 serious security incidents, compared with 3.2 incidents experienced by organizations that engaged in collaboration later in the SDLC. From this, we can conclude early-stage teamwork can bolster security measures and minimize vulnerability-related risks.
Why It Matters
When it comes to application security, organizations only care about one thing: decreasing or eliminating security incident rates. Companies that can keep up with critical vulnerabilities succeed with the ultimate KPI for application security programs: lower security incident rates. These organizations were nearly twice as likely to say they have not experienced any serious security incidents tied to a software vulnerability/web application exploit internally developed applications over the last 12 months. Examining the characteristics and experiences of those organizations that can remediate vulnerabilities effectively, it's pretty clear that DevSecOps delivers what matters.
Industry News
March 06, 2025
JFrog announced general availability of its integration with NVIDIA NIM microservices, part of the NVIDIA AI Enterprise software platform.
March 06, 2025
CloudCasa by Catalogic announce an integration with SUSE® Rancher Prime via a new Rancher Prime Extension.
March 05, 2025
MacStadium(link is external) announced the extended availability of Orka(link is external) Cluster 3.2, establishing the market’s first enterprise-grade macOS virtualization solution available across multiple deployment options.
March 05, 2025
JFrog is partnering with Hugging Face, host of a repository of public machine learning (ML) models — the Hugging Face Hub — designed to achieve more robust security scans and analysis forevery ML model in their library.
March 05, 2025
Copado launched DevOps Automation Agent on Salesforce's AgentExchange, a global ecosystem marketplace powered by AppExchange for leading partners building new third-party agents and agent actions for Agentforce.
March 05, 2025
Harness completed its merger with Traceable, effective March 4, 2025.
March 04, 2025
JFrog released JFrog ML, an MLOps solution as part of the JFrog Platform designed to enable development teams, data scientists and ML engineers to quickly develop and deploy enterprise-ready AI applications at scale.
March 04, 2025
Progress announced the addition of Web Application Firewall (WAF) functionality to Progress® MOVEit® Cloud managed file transfer (MFT) solution.
March 04, 2025
Couchbase launched Couchbase Edge Server, an offline-first, lightweight database server and sync solution designed to provide low latency data access, consolidation, storage and processing for applications in resource-constrained edge environments.
March 04, 2025
Sonatype announced end-to-end AI Software Composition Analysis (AI SCA) capabilities that enable enterprises to harness the full potential of AI.
March 03, 2025
Aviatrix® announced the launch of the Aviatrix Kubernetes Firewall.
March 03, 2025
ScaleOps announced the general availability of their Pod Placement feature, a solution that helps companies manage Kubernetes infrastructure.
March 03, 2025
Cloudsmith raised a $23 million Series B funding round led by TCV, with participation from Insight Partners and existing investors.
February 27, 2025
IBM has completed its acquisition of HashiCorp, whose products automate and secure the infrastructure that underpins hybrid cloud applications and generative AI.
