Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/27/2019
11:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Report Predicts DevSecOps Boom Over Next 2 Years

Sixty-eight percent of companies say they will be securing three quarters or more of their cloud-native applications with DevSecOps within two years.

Data Theorem commissioned Enterprise Strategy Group to survey 371 IT and cybersecurity professionals who had responsibility for cloud programs at organizations in North America to look at how data protection and security standards are changing because of the newer mixing of cloud applications alongside onsite processing.

They have just released the results as "Security for DevOps – Enterprise Survey Report."

It found that only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices today. That number rose to 68% of companies saying that they will be securing 75% or more of their cloud-native applications with DevSecOps practices in two years.

The surveyed organizations are mature cloud users in terms of public cloud services and/or containers. Survey participants represented a wide range of industries, including manufacturing, financial services, healthcare, communications and media, retail, government, and business services.

API security was the top area that was reported for current or projected incremental spend. API security was also reported as most important by respondents among the cloud-native application security controls, at 37%.

Showing how teams have divided, 82% of organizations have different teams assigned to secure cloud-native apps. Of this group, 50% of respondents' organizations plan to merge these responsibilities in the future, while 32% of respondents' organizations do not plan to merge these responsibilities.

Also, over half of respondents indicated their organization's software developers were already using serverless functions to some extent. Another 44% of the developers were either evaluating or planning to start using serverless within the next two years.

Due to a perception that existing security controls do not support cloud-native applications, the report found that many organizations have turned to a series of point tools managed by separate teams. However, this just exacerbates the complexity problem as 73% of respondents believe that their organization uses too many specialized products to properly secure cloud-native applications.

Organizations diverge as to the stage at which they introduce security controls to protect cloud-native applications. While more than one in five view the importance of pre-deployment and runtime security equally, 40% prioritize runtime controls, with the remaining 37% prioritizing a pre-deployment approach.

When asked what are the most important pre-deployment cloud-native application security controls, software vulnerability scanning of registry-resident container images came in first at 26%. The next most important pre-deployment cloud-native application security control was API vulnerability management, at 25%.

Respondents felt that deployment flexibility and support for all types of servers and compute platforms were the top two answers (both at 38%) for the most important attributes of products used to secure cloud-native apps.

"ESG's industry report is aligned with what we've long suspected with organizations, and with what we have witnessed in the industry," said Doug Dooley, Data Theorem COO in a prepared statement. "Production workloads are shifting to public cloud platforms, and organizations are quickly adopting serverless functions. They need to understand the associated risks and new threat model they are facing, and the means of addressing these cloud native and API risks."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.