Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/27/2019
11:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Report Predicts DevSecOps Boom Over Next 2 Years

Sixty-eight percent of companies say they will be securing three quarters or more of their cloud-native applications with DevSecOps within two years.

Data Theorem commissioned Enterprise Strategy Group to survey 371 IT and cybersecurity professionals who had responsibility for cloud programs at organizations in North America to look at how data protection and security standards are changing because of the newer mixing of cloud applications alongside onsite processing.

They have just released the results as "Security for DevOps – Enterprise Survey Report."

It found that only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices today. That number rose to 68% of companies saying that they will be securing 75% or more of their cloud-native applications with DevSecOps practices in two years.

The surveyed organizations are mature cloud users in terms of public cloud services and/or containers. Survey participants represented a wide range of industries, including manufacturing, financial services, healthcare, communications and media, retail, government, and business services.

API security was the top area that was reported for current or projected incremental spend. API security was also reported as most important by respondents among the cloud-native application security controls, at 37%.

Showing how teams have divided, 82% of organizations have different teams assigned to secure cloud-native apps. Of this group, 50% of respondents' organizations plan to merge these responsibilities in the future, while 32% of respondents' organizations do not plan to merge these responsibilities.

Also, over half of respondents indicated their organization's software developers were already using serverless functions to some extent. Another 44% of the developers were either evaluating or planning to start using serverless within the next two years.

Due to a perception that existing security controls do not support cloud-native applications, the report found that many organizations have turned to a series of point tools managed by separate teams. However, this just exacerbates the complexity problem as 73% of respondents believe that their organization uses too many specialized products to properly secure cloud-native applications.

Organizations diverge as to the stage at which they introduce security controls to protect cloud-native applications. While more than one in five view the importance of pre-deployment and runtime security equally, 40% prioritize runtime controls, with the remaining 37% prioritizing a pre-deployment approach.

When asked what are the most important pre-deployment cloud-native application security controls, software vulnerability scanning of registry-resident container images came in first at 26%. The next most important pre-deployment cloud-native application security control was API vulnerability management, at 25%.

Respondents felt that deployment flexibility and support for all types of servers and compute platforms were the top two answers (both at 38%) for the most important attributes of products used to secure cloud-native apps.

"ESG's industry report is aligned with what we've long suspected with organizations, and with what we have witnessed in the industry," said Doug Dooley, Data Theorem COO in a prepared statement. "Production workloads are shifting to public cloud platforms, and organizations are quickly adopting serverless functions. They need to understand the associated risks and new threat model they are facing, and the means of addressing these cloud native and API risks."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/1/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Threat from the Internet--and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15478
PUBLISHED: 2020-07-01
The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors.
CVE-2020-6261
PUBLISHED: 2020-07-01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
CVE-2020-15471
PUBLISHED: 2020-07-01
In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
CVE-2020-15472
PUBLISHED: 2020-07-01
In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
CVE-2020-15473
PUBLISHED: 2020-07-01
In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.