summarize
About Synopsys' 2023DevSecOpsReport of the Survey of the Current Situation
Synopsys in early 2023cyber securityResearch Center (CyRC), in conjunction with Censuswide, an international market research consultancy, conducted a survey of 1,000 IT professionals responsible for security. Respondents included developers, AppSec professionals, DevOps engineers, CISOs, and in-tech,cyber securityand applications/software
Experts in a variety of roles in the development field, with respondents from the United States, United Kingdom, France, Finland, Germany, China, Singapore, and Japan.
All respondents were eligible to participate in the survey, regardless of their industry or company size. One of the challenges in developing this survey was that the term "DevSecOps" encompasses multiple disciplines, many of which have their own unique roles. The survey wanted to reach people from a variety of professional backgrounds, including both developers who "directly" write code and those at the CISO level who work with software security.
About DevOps and DevSecOps
Accelerated development, continuous delivery, pipeline resiliency, scalability, and end-to-end transparency are key principles for realizing DevOps. Meeting these criteria requires the combined efforts of development, security and operations personnel.
DevSecOps is an extension of the DevOps methodology designed to instill a culture of security across multiple teams and to address security early and consistently in the DevOps environment, always by integrating security practices into software development.
Life cycle (SDLC) and CI pipelines, DevSecOps aims to transform security from a standalone phase to part of the development lifecycle.
DevSecOps has gained popularity across organizations involved in software development.The SANS State of DevSecOps 2023 Survey shows that DevSecOps has become an important business practice and risk management methodology. In the past, however, security and development teams have often disagreed when trying to incorporate security into their processes, in large part because of this
The practice would take the traditionalApplication securityTesting (AST) tools into the Software Development Lifecycle (SDLC). Developers often complain that AST tools are too complex, difficult to learn, have low performance, and generate a lot of "noise" that creates "friction" ⸺ that is, things that prevent developers from building code easily and quickly during the software development process. developers from building code easily and quickly during the software development process. The majority of respondents expressed general dissatisfaction with the AST tools they use.
Benefits of automation
The core principle of DevOps is to automate manual processes at every stage of the SDLC. Automation is an essential prerequisite for any organization to accelerate development and delivery of code through continuous integration or continuous deployment.
Successful DevSecOps requires the interplay of integration and automation, as well as the guidance of standards and policies. This gives the security team confidence that security interests are being safeguarded, while keeping the DevOps team on task and confident that pipeline disruptions won't occur. Unlike manual testing, automated security testing can be executed quickly and consistently, allowing developers to identify issues early in the development process without impacting delivery schedules or productivity.
- consistency
Automated testing ensures that security checks are performed consistently for every build and deployment. Manual testing can lead to inconsistent testing processes and coverage. - scalability
As software complexity grows, manual testing will become impractical. Automated testing is easily scalable to allow for a large number of tests across different components. - Continuous integration and continuous deployment (CI/CD)
Automated testing is critical in CI/CD pipelines where rapid and frequent code changes occur. Automated testing can quickly validate changes and prevent buggy code from entering the production environment. - continual improvement
Automated testing provides data and insights that can help development and security teams improve security practices over time, allowing them to systematically analyze and address vulnerability patterns. - record (in sports etc)
Automated testing can document the entire testing process, making it easier to track and audit security measures and compliance requirements. - Reduction of human error
Manual testing is prone to errors due to fatigue or negligence. Automated testing follows predefined scripts and can reduce the risk of human error. - Time and cost savings
Identifying and fixing safety issues late in the development process or during production is time-consuming and expensive. Automated testing minimizes these costs. - Improving the developer experience
Automated application security testing allows developers to take a proactive, holistic approach to addressing security issues in a way that helps them learn and improve their security knowledge and skills, which enhances the developer experience and ultimately improves software security and increases the efficiency of the entire development process.
The Growing Use of ASOC/ASPM in DevSecOps
This report examines organizations at different stages of DevSecOps maturity, including their characteristics, and the security tools/practices they employ. Based on the findings, we will provide them with guiding recommendations to help them further improve their software security maturity.
Interestingly, the survey results show that the use of Application Security Orchestration and Correlation (ASOC) - now commonly referred to as Application Security Situation Management (ASPM) - is becoming more prevalent. According to Gartner, ASPM should be a priority for any organization that uses multiple development and security tools.
From development to deployment, ASPM solutions enable ongoing management of a wide range of application risks, including detection, correlation, and prioritization of security issues.ASPM tools can take data from multiple sources, then correlate and analyze it for easier interpretation, classification, and remediation.
ASPM also acts as a management and orchestration layer for security tools to support the control and enforcement of security policies.ASPM has a consolidated view of application security results, thus providing a complete view of the security and risk status of the entire application or system.
Given that most of these 1,000 respondents were generally dissatisfied with the AST tools they were using - complaining that they were unable to prioritize fixes based on business needs (35%) or merge/correlate data to help solve problems (29%) - it makes sense that ASOC/ It makes sense that the use of ASPM is showing a rapid growth trend.
Key Findings from synopsys' State of DevSecOps Survey 2023
The majority of DevOps teams have adopted DevSecOps to some degree, with a total of 911 TP3T respondents indicating that they have incorporated certain security measures for conducting DevSecOps activities into their software development pipeline. It is safe to say that the adoption of DevSecOps methodologies is now part of software development.
Organizations with more mature security programs have people dedicated to security.291 TP3T respondents indicated that they have cross-functional DevSecOps teams-collaborative teams comprised of members from development, security, and operations-that are an important factor in the success of their security programs. People who focus on security and work with developers/software engineers and/or QA and testing may be on the front lines of security testing in organizations with mature security programs.
There are many barriers to effective DevSecOps implementation
More than 33% of respondents cited a lack of security training as a major obstacle. This was closely followed by a shortage of security personnel (311 TP3T), lack of transparency in development/operations (311 TP3T), and changing priorities (301 TP3T).
More than one-third of respondents indicated that integrating automated security testing into build/deployment workflows is critical to the success of a security program, and that other key success factors include enforcing security/compliance policies through infrastructure-as-code, fostering security champions on the development and operations teams, and improving communication between the development, operations, and security teams. communication between the development, operations and security teams.
Dealing with major vulnerabilities late in the SDLC can greatly diminish gains
More than 80% of respondents indicated that major vulnerabilities/security issues in deployed software affected their work progress in some form during 2022-2023.
281 TP3T of respondents said it takes their organizations up to three weeks to patch major security risks/vulnerabilities in deployed applications; another 201 TP3T of respondents said it can take up to one month
These numbers are especially troubling considering that vulnerabilities are being exploited faster than ever before. Recent studies show that more than half of all vulnerabilities are exploited within a week of disclosure.
More than 70% of the respondents were Table 1 shows the kind of automated scanning measures that have been commonly used for security vulnerabilities and other defects in code, followed closely by the category of "usefulness of tools/processes", "identifying security requirements during the requirements mining phase of the SDLC" and "formal assessment of the software security program through models such as BSIMM and SAMM". This was followed closely by "Clarifying security requirements during the requirements mining phase of the SDLC" and "Formally evaluating the software security program through models such as BSIMM and SAMM".
Almost all of the respondents agreed that AST tools are not compatible with their business needs.
Most of the 1,000 respondents identified a wide variety of problems with AST tools as their main challenge, including the inability of these tools to prioritize fixes based on business needs (35%) and the inability to merge/correlate data to help solve problems (29%).
52% security professionals have begun to actively collaborate with AI in DevSecOps activities, but more than three-quarters are concerned about the use of AI, the
The findings suggest that security teams are actively using AI, machine learning, natural language processing and neural networks. However, the increasing use of generative AI tools, such as AI-driven coding advice, has raised a host of intellectual property, copyright, and licensing issues around AI-generated code, and in some cases has even led to litigation.
State of DevSecOps Survey 2023
DevSecOps Deployment
More than one-third of the 1,000 respondents believe that their security program has reached Maturity Level 3, which means that security processes are documented, repeatable, and standardized across the organization. Another 251 TP3T of respondents believe their security program has reached Level 4, where security processes are also documented, monitored and evaluated.
A total of 911 TP3T respondents indicated that they have applied some type of DevSecOps activity to their software development pipeline, and the adoption of DevSecOps appears to be an established part of DevOps.
At what level of maturity do you believe your organization's current software security project/program is?
Implementation of security practices represents a higher level of maturity
Another measure of DevSecOps maturity, shown in the figure, indicates that respondents have adopted a wide range of security practices, from continuous monitoring and assessment (30%) to automated testing (28%).
Cited as a best practice by 358 respondents (35.1%), Security Risk Management involves integrating security considerations at each stage of the development process to identify, assess, and mitigate potential security risks associated with software applications. Under the SDLC framework, overall security risk management covers the following activities.
- Requirements Analysis. Identify security requirements and constraints early in the SDLC and define security goals.
- Design. Incorporate security principles into system architecture and design to ensure that applications are designed with appropriate safeguards against common vulnerabilities.
- Development. Implement secure coding practices and adhere to coding standards that address security issues. Use integrated security testing tools, such as Static Application Security Testing (SAST) and Software Composition Analysis (SCA), to capture vulnerabilities when writing code and introducing open source or third-party code.
- Testing. Perform various types of security tests to identify vulnerabilities in applications, such as SAST, Dynamic Application Security Testing (DAST), SCA, and penetration testing.
- Deployment. Securely configure the environment in which the application will run. Implement access control, network security, and appropriate authentication and authorization mechanisms.
- Monitoring and Assessment. Continuously monitor applications in the production environment for security events and anomalies. Implement logging and monitoring solutions to detect
- Detecting and responding to potential breaches.301 TP3T respondents indicated that this is the primary security practice their organization employs.
- Response and remediation. Develop an incident response plan to handle security incidents quickly and efficiently. Fix problems detected during the testing phase.
- Transparency and security. Establish clear norms, standards and strategies, and report on security risks and risk tolerance.
- Training. Provide training to development teams on secure coding practices, common vulnerabilities, and security best practices to enable developers to proactively address security issues. Unfortunately, 34% respondents identified "inadequate/ineffective security training for developers/engineers" as one of the main barriers to effective DevSecOps implementation in their organizations.
- Continuous Improvement. Periodically review and improve safety processes and practices in the SDLC.
What security practices does your organization use? (check all that apply)
Evaluation of the security plan
Nearly 701 TP3T respondents indicated that it would be useful to evaluate their security programs through an assessment tool such as the Software Security Architecture Maturity Model (BSIMM), with more than one-third rating such an assessment as "very useful".
An external assessment of your security posture can help you analyze your software security program and compare it to other organizations and your peers, and tools such as BSIMM provide data-driven, objective analyses on which you can base resource, time, budget, and prioritization decisions. Whether you're just starting a security program or adapting an existing program to changing business and security needs, comparing your software security program with others can guide your strategy.
If you are responsible for a software security program or are just beginning to develop one, understanding AppSec trends among your peers can help you make strategic improvements to your security efforts. If you are managing a security program from a technical perspective, you can use the information from a BSIMM or Software Assurance Maturity Model (SAMM) assessment to develop tactical improvements for people and processes, such as developing a Security Champions program.
In fact, according to the BSIMM report, one of the first things many software security teams do is to identify people who are drivers of software security, but who are not directly connected to the software security team. These individuals, collectively known as "software security advocates," can support and advance software security efforts. For example, security advocates on the engineering team can encourage engineers to take responsibility for the security of their own software deliverables.331 TP3T interviewees cited the development of a security advocate program as one of the key factors in the success of a software security program.
Effectiveness of Formal Evaluation of Software Security through Models such as BSIMM and SAMM.
The Importance of Cross-Functional Teams for DevSecOps Success
29% respondents noted that cross-functional DevSecOps teams - collaborative teams of development, security, and operations personnel - are key to the success of security programs (see Appendix Q16). Security professionals, in collaboration with developers/software engineers and/or QA and testing teams (whether formally part of the DevSecOps team or otherwise), can be the first line of defense for security testing and help organizations build more mature security programs.
A single pipeline of testing before and after deployment by the security team is a thing of the past. In today's software development environment, security testing is the responsibility of the entire engineering team, including quality assurance, development, and operations teams, and most teams build security into their software at various stages of the software development lifecycle.
331 TP3T respondents indicated that their organizations also hire outside consultants to conduct security testing. The best practice here is to conduct regular security audits. Engaging a third-party auditor or penetration tester to conduct such tests is invaluable in providing an objective view of the security posture of the entire organization.
Who is responsible for security testing in your organization? (check all that apply)
Combination of manual and automated testing for optimal results
Survey results show that most respondents believe that a combination of manual and automated security testing provides a more comprehensive approach to assessing the security of business-critical applications. While automated testing is important for consistency, scalability, and time and cost savings, human involvement can add a layer of insight and adaptability that is essential for identifying complex and subtle security issues. For example, as a "black box" test (i.e., testing without knowledge of an application's internals), DAST requires both the developer and the security professional to be involved.security expertValidate and categorize test results.
Similarly, the fact that external penetration testing is considered by 44% respondents as a key component of their security testing is a testament to the fact that penetration testing is an important complement to internal testing. External penetration testing, which is often done to comply with industry norms and standards, can bring additional benefits, such as providing an objective assessment of your organization's security posture and an accurate simulation of potential threats and vulnerabilities that could be exploited by external attackers.
How do you assess or test the security of business-critical applications? (Check all that apply)
Key performance indicators
The survey asked respondents to select the top three Key Performance Indicators (KPIs) to evaluate the success of their DevSecOps program. Topping the list was "Overall reduction in open vulnerabilities," cited by 295 respondents (29%), followed closely by "Reduction in security-related issues discovered late in the SDLC," cited by 288 respondents (28%), and in third place, "Reduction in security-related issues discovered late in the SDLC," cited by 288 respondents (28%). This was closely followed by "Reduction in security-related issues discovered in the late stages of the SDLC", cited by 288 respondents (281 TP3T), and in third place, "Time to resolve issues", cited by 281 respondents (281 TP3T).
As the survey results show, time, productivity, and cost are the three common threads of the previous KPIs and the challenges organizations face when implementing a secure SDLC. Or, in other words, the three main issues facing DevSecOps participants are.
- How can we reduce the number of vulnerabilities/issues we encounter?
- How can we find vulnerabilities earlier in the SDLC?
- How can we reduce the time it takes to solve problems to minimize build delays and improve development efficiency?
What are the main KPIs you use to evaluate the success of DevSecOps activities? (select up to 3)
What AST tools are you using? Are they useful?
The findings show that successful DevSecOps strategies use a complete security toolset to address code quality and security issues throughout the software development lifecycle, including Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), Static Application Security Testing (SAST), and Software Composition Analysis (SCA) tools.
The survey results showed that SAST was the most popular AST tool, with 72% of respondents finding it useful. It was closely followed by IAST (69%), SCA (68%), and DAST (67%).
SAST and DAST utilize different test methodologies for different SDLC phases; SAST is critical for discovering and eliminating vulnerabilities in proprietary code early in the SDLC (i.e., before the application is deployed), while DAST is suitable for discovering problems during operation, such as authentication and network configuration flaws, after deployment. SAST is critical for discovering and eliminating vulnerabilities in proprietary code early in the SDLC (i.e., before the application is deployed), while DAST is useful for discovering operational issues, such as authentication and network configuration flaws, after deployment, and IAST combines some of the functionality of both SAST and DAST for detecting significant security flaws that cannot be identified by other types of testing.
SCA is suitable for identifying and managing open source security and licensing risks, which is a key requirement in modern software development, especially when more than three-quarters of the code in any given application is likely to be open source. Since many organizations are using packaged software purchased from independent software vendors, as well as Internet of Things (IoT) devices and embedded firmware, they may also need to perform some form of SCA binary analysis within their AST toolkit.
Are the following application security tools used by your organization useful (if any)?
When to test? When will patches be applied? How does this affect our work schedule?
The frequency of application security testing depends on a number of factors, including the application's business criticality on a daily basis, the industry, and the threat landscape. As our survey results show, very critical applications should be assessed on a regular basis (see figure). Most of the responding organizations that participated in this survey indicated that they conduct vulnerability scans of business-critical applications on average two to three days per week.
At first glance, the survey results showing that organizations with 281 TP3T take up to three weeks to patch major vulnerabilities (Figure I) may seem worrisome, but this has to be considered in the context of other factors. There is a misconception that the legendary developer can fix all vulnerabilities, but no one would ask a developer to delve into unimportant vulnerabilities for no good reason.
It is worth noting that the main barrier to DevSecOps implementation is "lack of transparency in Dev/Ops" for 311 TP3T of respondents, and "organizational silos between Dev, Ops, and Security" for 291 TP3T (Figure 1). and 29% respondents cited "organizational silos between development, operations, and security" (Figure). Both of these point to risk communication issues between security and development teams, as well as the need for rapid alerting and automation of security policies.
In all cases, the prioritization of vulnerability patching should be aligned with the business importance of the asset to be patched, its criticality and the risk of the asset being exploited, especially the last point. Research shows that more than half of all vulnerabilities are exploited within a week of disclosure.
How often, on average, does your organization conduct assessments or tests of the security of business-critical applications?
On average, how long does it take your organization to patch/address significant security risks/vulnerabilities in deployed or active applications?
As a result, organizations need to prioritize vulnerability remediation based on Common Vulnerability Scoring System (CVSS) scores, Common Weakness Enumeration (CWE) information, and vulnerability exploitability, which applies not only on "day zero" of vulnerability disclosure, but throughout the entire lifecycle of an application.
The CVSS score is an industry standard for assessing the severity of a hazard. Each vulnerability in the National Vulnerability Database (NVD) has a base score that helps calculate the severity of a vulnerability and guides the prioritization of vulnerability remediation.The CVSS score is a comprehensive base score that takes into account the exploitability and impact of the vulnerability.
The Time Score is a metric that takes into account changes over time due to events external to the vulnerability. The level of remediation (is there an official remediation program?) and the level of confidence in reporting (is the report confirmed?). and report confidence (is the report validated?). can help adjust the overall CVSS score to the appropriate risk level.
CWE information lists software or hardware defects that have security implications, and CWE tells developers which defects can be exploited (if there are available vulnerabilities). This information helps security and development teams understand where to focus developer security training, what additional security controls to implement in the SDLC and production, and whether to add risk severity assessment mechanisms. For example, the development team may assign different priorities to SQL injection, buffer overflows, or denial of service based on the data the application touches, where it is deployed, and other environmental and security factors.
The presence of a vulnerability increases the risk score and helps the work team prioritize fixes for the highest risk vulnerabilities. Knowing whether patches, mitigations, or compensating controls are readily available after assessing the overall risk is another key piece of information you need to consider. For example, if you have two medium-risk but unused vulnerabilities, which one to fix first may ultimately depend on whether they have an existing patch or solution.
A major security or vulnerability issue in a deployed application often has a cascading effect that not only affects the business operations of the organization (or its customers), but also has an impact on the entire SDLC, as shown in the figure.
Issues may be minor if they are discovered early in development, but they can become major "all hands on deck" issues if they are discovered in a deployed application. Automated security testing tools integrated into IDEs and CI pipelines can identify vulnerabilities and defects in code immediately after (or even before) the code is committed, allowing developers to address issues before they propagate downstream.
Over the past year (2022-2023), how much impact, if any, has resolving a major security/vulnerability issue had on your organization's software delivery plan?
Challenges to Effective DevSecOps
The cybersecurity talent shortage is a major challenge for DevSecOps, as shown in Figure K. Many organizations are unable to recruit qualified individuals for key cybersecurity positions. According to some studies, there are 3.5 million cybersecurity vacancies worldwide. As the market for trained cybersecurity professionals grows, the scarcity of supply will lead to higher wages for skilled practitioners, making them unaffordable for many government agencies and small and medium-sized businesses. However, as Figure K shows, "insufficient security training for developers/engineers" remains the top challenge.
Establishing a security champion program has proven to be an effective strategy for addressing these issues by identifying individuals from various parts of the organization who have an above-average interest or skill set in security (and who are already using their expertise to support development, quality assurance, and operations teams). Security champions can provide ideas and feedback on new projects, as well as help security or engineering teams combine software security skills with domain knowledge they may lack in emerging or rapidly changing technologies. Agile coaches, scrum masters, and DevOps engineers are all excellent candidates for security advocates, especially for identifying and removing friction in the process.
What are the challenges/barriers to implementing DevSecOps in your organization? (Check all that apply)
As mentioned earlier in this report, AST tools such as SAST, DAST, IAST, and SCA have all been widely used by respondents, but effectively linking these tools to business needs remains a challenge.
Many respondents complained that the security testing tools they use are unable to prioritize remediation efforts based on factors such as exposure, exploitability, and severity of security vulnerabilities; are too slow to accommodate rapid release cycles/continuous deployment; and are inaccurate and unreliable.
Without the ability to consolidate or correlate the results of different security tests, security and DevOps teams spend too much time identifying the vulnerabilities that need to be fixed first - which may be one of the reasons why nearly three-quarters of respondents noted that it takes their organizations between two weeks and a month to patch known critical vulnerabilities.
Failure to patch vulnerabilities quickly affects fundamental interests. More than 80% of respondents indicated that addressing major vulnerabilities or related security issues in deployed software impacted their work schedule during 2022-2023.
Fragmentation and slow remediation of AST tools is what Application Security Orchestration and Correlation (ASOC) and Application Security Situation Management (ASPM) are designed to address, according to Gartner, which states that ASOC/ASPM can act as a management layer to orchestrate multiple AST tools, automating the correlation and contextualization of discovered issues to speed and optimize the remediation process.
ASOC/ASPM extracts and consolidates results from multiple sources to provide a unified risk view of the entire application environment, allowing you to perform data-driven prioritization of remediation efforts based on business context (e.g., severity) to facilitate faster remediation of the highest-risk vulnerabilities. ASOC/ASPM can also provide visibility into the production environment, thereby addressing the problem of long time-to-fix vulnerabilities in deployed applications and helping to effectively avoid exploits (most exploits occur within days of disclosure).
What are the main issues with the application security testing tools used in your organization? (select up to 3)
The Promise and Pitfalls of AI
The survey results show that the use of AI has penetrated many organizations' software security programs, with more than 501 TP3T of respondents saying they are actively using AI in their DevSecOps practices.541 TP3T of respondents are looking to AI to improve the efficiency and accuracy of their security measures.481 TP3T of respondents are looking to AI to help them reduce manual review of security tests. tests manually.
This makes sense when you consider the major advantages that AI can potentially provide to DevSecOps.AppSec teams are often caught between the need for complete and consistent security testing and the need to keep pace with development teams using DevOps methodologies and CI pipelines. When deadlines are tight, it's easy for developers to skip critical security risk assessment processes.
Respondents to this survey cited "improving the accuracy and efficiency of security measures" (54%) and "reducing the need for manual review and analysis of security data" (48%) as two of their main objectives for introducing AI into the security SDLC. The two main objectives of introducing AI into the security SDLC are to
Note, however, that interviewees also indicated that they expect AI to "increase the complexity and technical requirements of software security," and that there may come a time when the only entity that can adequately scrutinize AI-generated code is the AI itself.
Implementing AI in DevSecOps presents additional challenges, such as ensuring data quality and addressing security and privacy concerns. As AI tools are increasingly integrated into DevOps pipelines, they will almost certainly become prime targets for security threats. Handling sensitive data used to train AI also raises privacy concerns.
There are a number of potential risks associated with the use of AI, such as AI-assisted coding that may create ownership, copyright, and licensing issues around AI-created code.
In late 2022, a class action lawsuit was filed against GitHub, Microsoft, and OpenAI, alleging that GitHub Copilot - a cloud-based AI tool that provides developers with automated, complementary suggestions when coding - infringes on copyright law and software licensing requirements, and that the open source code used to train the Copilot The open source code used to train Copilot's services also violates developers' rights. The lawsuit also alleges that the code suggested by Copilot uses licensed material without attribution, copyright notice, or adherence to the terms of the original license.
Generative AI chatbots based on large-scale language models, such as ChatGPT and Google Bard, also suffer from the problem of randomly generating "illusions", i.e., replies that, while appearing trustworthy and confident, are in fact wrong - or, in layman's terms, "lies". "lying".
AI hallucinations clearly threaten the security of the software supply chain. Researchers have found that ChatGPT may suggest illusory, non-existent codebases or software packages. Malicious actors could create packages with the same name, populate them with malicious code, and then distribute them to unsuspecting developers who follow the AI's advice. This could have a disruptive effect on cybercriminals, allowing them to bypass more traditional and easily detected techniques such as misspellings or disguises. In fact, researchers have found that malware packages created based on ChatGPT's phantom advice already exist in popular package managers such as PyPI and npm.
This threat is not theoretical; it is real and happening. Whether a supply chain attack originates from an AI hallucination or a malicious actor, it is critical to defend against it by understanding the source of the code, verifying the identity of developers and maintainers, and downloading packages only from reliable vendors or sources.
lessons learned
While most organizations have largely adopted some DevSecOps practices, they still face challenges in implementing them effectively. The survey revealed that the problems are centered on two main areas.
- Integrate and align the results of multiple application security testing (AST) tools with business priorities
- Reduction in the time required to address critical vulnerabilities
28% of respondents indicated that it takes their organization up to three weeks to patch major security risks/vulnerabilities in deployed applications. Another 201 TP3T of respondents indicated that it can take up to a month to patch vulnerabilities, but most vulnerabilities are exploited within days of disclosure. Respondents indicated that their biggest frustration is the inability of AST tools to prioritize vulnerability patches based on business needs.
As mentioned in the introduction to this report, one of the challenges in developing the questionnaire was that the term "DevSecOps" encompasses a number of different disciplines, many of which have their own unique roles. In terms of "business prioritization", different roles may have different understandings of it.
For example, business executives are most interested in understanding the effectiveness of AppSec's tools, and they want to have a comprehensive view of the process and how it can improve performance across their teams. Development and operations teams want AppSec to help them centralize their view of all issues to identify the most valuable security activities. Security professionals want to eliminate the noise so they can prioritize and address critical issues quickly.
Application Security Posture Management (ASPM) can provide the necessary enhancements for organizations that are struggling to bring siloed security tools together while meeting business needs.ASPM automatically orchestrates, contextualizes, and prioritizes siloed tools, allowing the organization to focus on the application security issues that are most important to the business.
- ASPM can be integrated with development and security testing tools, as well as operations and maintenance monitoring tools, to provide a consolidated, single view of security-related information across the organization.
- By correlating and grouping data from different tools that analyze specific applications and vulnerabilities, ASPM can provide a comprehensive view of an application's overall security posture.DevSecOps teams can generate data relevant to their roles and responsibilities, and ASPM can present that data in a way that is meaningful to line-of-business managers and others who need a broader perspective. The DevSecOps team can generate data relevant to their roles and responsibilities, and ASPM can present that data in a way that is meaningful to line-of-business managers and others who need a broader perspective.
- ASPM allows you to develop and enforce security policies that address specific risks associated with particular applications and vulnerabilities. ASPM also allows you to identify and resolve security issues as early as possible when integrated with your development or operations infrastructure.
The Gartner report for 2021 states. Approximately 51 TP3T of surveyed organizations have adopted ASPM or its predecessor, Application Security Orchestration and Correlation (ASOC) tools, and Gartner expects the rate of adoption to increase rapidly, a prediction that is borne out by the results of the 2023 survey, where 281 TP3T of surveyed organizations have already begun using ASOC/ASPM. Gartner also notes that early adopters tend to be teams with mature DevSecOps programs and use multiple security tools, which characterize our DevSecOps survey respondents.
Characteristics of respondents
The survey explored in this report strongly suggests that the fragmented results provided by security tools, overburdened workforces, and the slow pace of vulnerability remediation are fundamental challenges that hinder DevSecOps success. For organizations that have diverse DevSecOps teams and use multiple application security testing tools, ASPM may be the key to effectively addressing these challenges.
Respondents' Industry Distribution
Respondents' job roles
Application Security Architect, Application Security Manager, CISO Developer, DevOps Engineer, Director of Application Security, Director of Cybersecurity, Director of IT Risk Management, Director of IT Shared Services, Director of Product Security, Director of Security Assurance, Executive Director of Product Security, Incident and Security Manager, Director of Information Assurance, Software Security Engineering Manager, Operations Engineer, AppSec Product Security Personnel, Programmers, QA/Testers/Test Managers, Release Engineers/Managers, Security Administrators/Security Analysts, Security Architects, Security Directors, Security Engineering Managers, Senior Director of Product Security, Senior Vice President of Product Security and Technology, Technical Executives, Vice President of Product and Application Security, Vice President of Security Architecture, Vice President of Security Compliance, and more.
Appendix:
What is the main industry in which your organization operates?
How large is your organization? Including staff and temporary workers?
What types of software/applications does your organization create or manage? (Select all that apply)
What security practices does your organization use? (check all that apply)
Are the following application security tools, practices, or techniques used by your organization useful? (if any)
Are the following application security tools, practices, or techniques used by your organization useful (if any)?
What level of maturity would you consider your organization's current software security project/program to be?
How often, on average, does your organization assess or test the security of business-critical applications?
How do you assess or test the security of business-critical applications? (Check all that apply)
In the past year (2022-2023), how much, if at all, has the resolution of a major security/vulnerability issue impacted your organization's software delivery plan?
What are the main KPIs you use to evaluate the success of DevSecOps activities? (select up to 3)
What are the challenges/barriers to implementing DevSecOps in your organization? (Select all that apply)
What are the main issues with the application security testing tools used in your organization? (Select up to 3)
Which factors do you think are most important to the success of the safety program? (check up to 3)
Is your organization currently using AI tools to enhance software security measures?
How do you anticipate the use of AI tools will impact your organization's DevSecOps processes and workflows? (Check all that apply)
What specific areas of software security do you think AI tools can be effective in strengthening?
How concerned (if at all) are you about hidden biases or errors in AI-based security solutions?
Original article by SnowFlake, if reproduced, please credit https://cncso.com/en/global-devsecops-report-2023-html