Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/27/2019
11:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Report Predicts DevSecOps Boom Over Next 2 Years

Sixty-eight percent of companies say they will be securing three quarters or more of their cloud-native applications with DevSecOps within two years.

Data Theorem commissioned Enterprise Strategy Group to survey 371 IT and cybersecurity professionals who had responsibility for cloud programs at organizations in North America to look at how data protection and security standards are changing because of the newer mixing of cloud applications alongside onsite processing.

They have just released the results as "Security for DevOps – Enterprise Survey Report."

It found that only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices today. That number rose to 68% of companies saying that they will be securing 75% or more of their cloud-native applications with DevSecOps practices in two years.

The surveyed organizations are mature cloud users in terms of public cloud services and/or containers. Survey participants represented a wide range of industries, including manufacturing, financial services, healthcare, communications and media, retail, government, and business services.

API security was the top area that was reported for current or projected incremental spend. API security was also reported as most important by respondents among the cloud-native application security controls, at 37%.

Showing how teams have divided, 82% of organizations have different teams assigned to secure cloud-native apps. Of this group, 50% of respondents' organizations plan to merge these responsibilities in the future, while 32% of respondents' organizations do not plan to merge these responsibilities.

Also, over half of respondents indicated their organization's software developers were already using serverless functions to some extent. Another 44% of the developers were either evaluating or planning to start using serverless within the next two years.

Due to a perception that existing security controls do not support cloud-native applications, the report found that many organizations have turned to a series of point tools managed by separate teams. However, this just exacerbates the complexity problem as 73% of respondents believe that their organization uses too many specialized products to properly secure cloud-native applications.

Organizations diverge as to the stage at which they introduce security controls to protect cloud-native applications. While more than one in five view the importance of pre-deployment and runtime security equally, 40% prioritize runtime controls, with the remaining 37% prioritizing a pre-deployment approach.

When asked what are the most important pre-deployment cloud-native application security controls, software vulnerability scanning of registry-resident container images came in first at 26%. The next most important pre-deployment cloud-native application security control was API vulnerability management, at 25%.

Respondents felt that deployment flexibility and support for all types of servers and compute platforms were the top two answers (both at 38%) for the most important attributes of products used to secure cloud-native apps.

"ESG's industry report is aligned with what we've long suspected with organizations, and with what we have witnessed in the industry," said Doug Dooley, Data Theorem COO in a prepared statement. "Production workloads are shifting to public cloud platforms, and organizations are quickly adopting serverless functions. They need to understand the associated risks and new threat model they are facing, and the means of addressing these cloud native and API risks."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Tell him only Kevin Mitnick and the President know the launch codes.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...