Application security - a sea change begins?
Report shows how and where security is improving - and failing...
Enterprises have tightened up their approach to application security and the implementation of software delivery lifecycle (SDLC) principles, but many challenges remain, according to a wide-ranging survey.
The good news is that 67 percent of survey respondents describing their DevOps practices as very mature or of improving maturity, 26 per cent making the ‘mature’ devops practice cut, while a solid 41 per cent are ‘improving’ their maturity. The results are clear, with 58 percent of mature DevOps teams having automated security as part of Continuous Integration (CI) practices compared to 39 percent of all survey participants.
Although 47 per cent of traditional development and operations teams said that they perceived security teams and policies as being a brake on progress, DevOps teams have discovered new ways to integrate security and retain speed of development, with only 28 per cent of mature DevOps teams believing that they are slowed down by security requirements.
In other good news, developers are increasingly taking more responsibility for security with 24 per cent of all respondents saying it's a top concern. Cheeringly, in mature DevOps organisations that number rises to 38 per cent. An impressive 85 per cent of those surveyed from highly mature DevOps practices received some form of application security training, ensuring awareness of secure coding practices. In immature DevOps practices, 30 per cent received no training.
The 2017 DevSecOps Community Survey was conducted among 2,292 IT professionals by Sonatype, which noted a 50 per cent increase in data breaches between Sonatype's 2014 and 2017 surveys.
Ilia Kolochenko, CEO of High-Tech Bridge commented: “Gartner highlighted in its Hype Cycle for Application Security 2016 that applications are the main source of data exfiltration, however companies still tend to underestimate the risks related to web applications, and consequently put their customers at huge risk.
Some large companies, handling and processing personal data, still fail to respect and even intentionally neglect the basics of information security. Despite numerous reports on increasing cybersecurity spending during the last few years, many companies do spend more, but aren’t becoming more secure. A holistic risk assessment, comprehensive asset inventory and continuous security monitoring are often omitted, even though they are probably the most important parts of information security strategy and management.”
The Sonatype report uncovered some disconnects too, with 42 per cent of mature DevOps organisations performing application security analysis at every stage of the SDLC, but this figure plummets to just 27 per cent across the entire survey sample.
In spite of awareness rising, 50 per cent of developers said while they were aware of the importance of security they did not have sufficient time to spend on it, and a worrying 54 per cent of respondents agreed that security experts can seem like ‘nags’, pointing out vulnerabilities but not helping to resolve them.
Controls proved to be a contentious issue, particularly around open source components, which in spite of breaches relating to vulnerabilities in open source components rocketing 50 per cent between 2014 and 2017, the percentage of companies have no controls in place at all has remained static, at 65 per cent. In fact, 20 per cent of respondents had themselves identified a breach related to an open source component vulnerability in the last year alone.
A particular issue is around deploying containers, which 88 per cent of survey respondents felt was an area where security was a top concern, but a mere 53 per cent leverage security solutions to address this problem.
Overall, it is clear that while the most mature devops practices have improved dramatically in the last few years, there is a considerable gulf between these high-performers and their lesser peers. Even in the mature practices, there are significant disconnects which highlight still further how much work there is to be done...