A couple of days ago, WhiteSource released its DevSecOps Insights Report, which was aimed at better understanding the level of DevSecOps maturity inside organisations.
20% of respondents described their organisations’ DevSecOps practices as “mature”, while 62% said they are improving practices and 18% as “immature”. Additional key insights from the report included:
- In order to meet short deployment cycles, 73% of security professionals and developers feel forced to compromise on security.
- AppSec tools are purchased to ‘check the box’, disregarding developers’ needs and processes, resulting in tools being purchased but not used.
- Developers don’t fully use the tools purchased by the security team. The more the mature an organisation is in terms of its DevSecOps practices, the more AppSec tools they use.
- There is a significant “AppSec knowledge and skills gaps” challenge that is largely neglected by organisations.
- While 60% of security professionals say they have had an AppSec program in place for at least a year, only 37% of developers surveyed reported that they were not aware of an AppSec program running for longer than a year inside their organisation.
- Security professionals’ top challenge is prioritisation, but organisations lack the standardised processes to streamline vulnerability prioritisation.
Prioritisation of feature development relative to security has long been a challenge, but it’s not without a solution. In a DevSecOps world, empowering development teams can result in higher quality code with fewer security defects. To realise the potential of this paradigm, security leaders need to embed the knowledge within the development flow and not simply bolt it on at the end of the development process. By embedding this knowledge within the development flow, security knowledge created by one team can be shared by others within the overall software development lifecycle (SDLC).
For example, if an Ops team is aware of security weaknesses present in the code they run, but which Dev teams have triaged for future resolution, the Ops teams are then able to compensate for any weaknesses. By focusing on the information flow and not the tooling, organisations can increase tool usage by raising the awareness of the types of findings uncovered by specific security techniques which then in turn increases the overall security competency within development teams as they process this security information. When armed with low friction activities like creating threat models and security team participation in scrums, an organisation’s security maturity can increase quickly by making everyone part of the solution. An effective template for this process can be found in recent ESG research on modern application development security.