SANS Survey Shows DevSecOps Is Shifting Left
The ultimate objective of any DevSecOps program is to significantly improve an organization’s security posture and operational effectiveness by aligning the development, security and operations teams. The SANS 2022 DevSecOps Survey: “Creating a Culture to Significantly Improve Your Organization’s Security Posture” showcases the ways that progress toward this goal is being made by the community, while recognizing the challenges, and highlighting areas for additional focus.
Let’s take a look at some key findings and what they tell us about how the industry is making progress on shifting security left.
‘Shift Left’ Is Happening
The survey showed that security testing increased at each phase of the build and release workflow. The majority of testing still occurs at the architecture/design stage, suggesting widespread agreement that security testing should be addressed early in the build and release workflow.
While testing at the code commit/pull request stage is still considered an important phase, this year’s survey shows an appropriate jump in testing at both the requirements and use case phase and the QA/acceptance phase.
These results show that the “shift left” principle, which holds that security is best addressed early in the development life cycle, is being followed by DevSecOps practitioners. This is a positive development.
Secure Coding Training for Developers and Engineers Is Highly Valued
Training developers and engineers in defensive coding and secure programming concepts, risks and techniques is key to shifting responsibilities for security to a stage early in the design and coding life cycle.
Developers also need security training to be effective participants in threat modeling, to perform code reviews and to adopt static application security testing (SAST) tools. When queried about this, 42.5% of respondents say that training is “very useful” while 39.8% agree that it is “useful.”
SANS survey respondents ranked secure coding training higher than pen testing, software composition analysis (SCA), automated SAST, threat modeling, container/image security scanning, dynamic application security testing (DAST), third-party compliance reviews, interactive application security testing (IAST), fuzz testing and bug bounties.
Survey respondents cited the cybersecurity skills shortage as the biggest challenge they continue to face and look to training in secure coding practices as a way to foster a culture of a shared responsibility for security.
‘What Is Measured Is Controlled’
Another key finding of the survey is the importance of key performance indicators (KPIs) and metrics. The number of open security vulnerabilities continues to be the top KPI, while time-to-fix security vulnerabilities remains No. 2.
Interestingly, the use of these KPIs appears to correspond to the 54% of respondents stating that their organization resolves critical security issues within a week or less.
The value of these metrics is conveyed by the axiom “What is measured is controlled” and its corollary, “What is not measured is not controlled.” Management must have the appropriate visibility to focus organizational resources on the underperforming metrics.
The survey’s top takeaway on this is that: “Benchmarking metrics with peer organizations can be used to garner management support and helps demonstrate due care.”
Shared Security Ownership Is Key to DevSecOps Success
Successful DevSecOps programs succeed by developing a culture where various teams share ownership of security. The SANS 2022 DevSecOps Survey results show that improving communication across development, operations and security remains a key success factor across industry sectors.
However, survey respondents continue to consider automating workflows and integrating automated security testing into developer and engineering toolchains as highly important to the success of DevSecOps programs.
Survey results show that respondents consider the following top five factors to have contributed to their security program’s success: Improving communications across development, operations, and security came in at 56%, up from 51% in 2021, while automating workflows increased in importance to 55%, up from 43% in the previous survey. Integrating automated security testing into developer tools and workflows also increased in importance to 53%, up from 45% while securing developer buy-in was also up to 52%, from 46% in 2021.
The only metric that decreased was training developers in secure coding, which fell to 48% from 52%.
Cultural Issues Remain a Barrier
Challenges remain to the full implementation of DevSecOps programs. It is no surprise to see the survey reflect the ongoing shortage of cloud security personnel and skills. This came in as the No. 1 problem organizations are facing, along with an ongoing lack of developer and engineer buy-in. Respondent ratings for the challenges of insufficient budget and funding for security programs and tools dropped by a bit more than 10 percentage points, while the closely related lack of management buy-in rose by nearly the same amount.
While respondents named improving communication across development, operations and security as their No. 2 success factor, organizational silos between these three teams remains a challenge, along with the associated lack of transparency into development and operations work.
Increasing workplace communication among these teams remains the key practice that leadership needs to encourage. Survey results also point to the need to attract hires who embrace solving problems and enjoy being innovative.
ASOC Is an Emerging Trend
The survey reports that the use of application security orchestration and correlation (ASOC) tools is on the rise and will likely increase in years to come. Respondents report that 10% of organizations have fully integrated ASOC tools while 19% have partially integrated and 14% are conducting pilot projects. However, while 17% of organizations are conducting preliminary investigations into ASOC, a full 17% are not investing in ASOC tools at all, while 23% of respondents don’t even know if their organization is investing in ASOC tools.
Along with ASOC, the adoption of artificial intelligence, machine learning, and other data science methodologies and tools will help to improve DevSecOps. Microservices offer DevSecOps teams the advantages of flexible, highly scalable, resilient and easy-to-deploy code.
Identity-based and network-based protections such as microsegmentation are being applied to enable organizations to achieve the widely sought zero trust approach. Through the orchestration of microservices, containers, and serverless technology, DevSecOps has the potential to secure code more thoroughly than has ever been achieved before.
How Synopsys Can Help
Synopsys has solutions for DevSecOps that help you shift security left without slowing down your development teams. Intelligent policy-driven DevSecOps solutions will allow you to run the right tests at the right time while correlating and prioritizing results so you can focus on the issues that matter most.
Synopsys also has tools to help you automate your security policies as code as well as to help your team develop standardized policies for automated security testing and remediation activities in your DevOps workflows.
Synopsys DevSecOps solutions can help your organization manage risks and remove friction from your digital transformation initiatives. Synopsys AppSec and DevSecOps solutions ensure security is built into your applications by offering tooling and services that span all stages of your software development life cycle (SDLC).
Download the full report here.