theDocumentId => 754462 Report Predicts DevSecOps Boom Over Next 2 Years

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/27/2019
11:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Report Predicts DevSecOps Boom Over Next 2 Years

Sixty-eight percent of companies say they will be securing three quarters or more of their cloud-native applications with DevSecOps within two years.

Data Theorem commissioned Enterprise Strategy Group to survey 371 IT and cybersecurity professionals who had responsibility for cloud programs at organizations in North America to look at how data protection and security standards are changing because of the newer mixing of cloud applications alongside onsite processing.

They have just released the results as "Security for DevOps – Enterprise Survey Report."

It found that only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices today. That number rose to 68% of companies saying that they will be securing 75% or more of their cloud-native applications with DevSecOps practices in two years.

The surveyed organizations are mature cloud users in terms of public cloud services and/or containers. Survey participants represented a wide range of industries, including manufacturing, financial services, healthcare, communications and media, retail, government, and business services.

API security was the top area that was reported for current or projected incremental spend. API security was also reported as most important by respondents among the cloud-native application security controls, at 37%.

Showing how teams have divided, 82% of organizations have different teams assigned to secure cloud-native apps. Of this group, 50% of respondents' organizations plan to merge these responsibilities in the future, while 32% of respondents' organizations do not plan to merge these responsibilities.

Also, over half of respondents indicated their organization's software developers were already using serverless functions to some extent. Another 44% of the developers were either evaluating or planning to start using serverless within the next two years.

Due to a perception that existing security controls do not support cloud-native applications, the report found that many organizations have turned to a series of point tools managed by separate teams. However, this just exacerbates the complexity problem as 73% of respondents believe that their organization uses too many specialized products to properly secure cloud-native applications.

Organizations diverge as to the stage at which they introduce security controls to protect cloud-native applications. While more than one in five view the importance of pre-deployment and runtime security equally, 40% prioritize runtime controls, with the remaining 37% prioritizing a pre-deployment approach.

When asked what are the most important pre-deployment cloud-native application security controls, software vulnerability scanning of registry-resident container images came in first at 26%. The next most important pre-deployment cloud-native application security control was API vulnerability management, at 25%.

Respondents felt that deployment flexibility and support for all types of servers and compute platforms were the top two answers (both at 38%) for the most important attributes of products used to secure cloud-native apps.

"ESG's industry report is aligned with what we've long suspected with organizations, and with what we have witnessed in the industry," said Doug Dooley, Data Theorem COO in a prepared statement. "Production workloads are shifting to public cloud platforms, and organizations are quickly adopting serverless functions. They need to understand the associated risks and new threat model they are facing, and the means of addressing these cloud native and API risks."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18428
PUBLISHED: 2021-07-26
tinyexr commit 0.9.5 was discovered to contain an array index error in the tinyexr::SaveEXR component, which can lead to a denial of service (DOS).
CVE-2020-18430
PUBLISHED: 2021-07-26
tinyexr 0.9.5 was discovered to contain an array index error in the tinyexr::DecodeEXRImage component, which can lead to a denial of service (DOS).
CVE-2021-37576
PUBLISHED: 2021-07-26
arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.
CVE-2021-37555
PUBLISHED: 2021-07-26
TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser, a related issue to CVE-2019-16734. To connect, the telnet service is used on port 23 with the default password of 059AnkJ for the root account. The user can then download the filesystem through preinstalled BusyB...
CVE-2020-23240
PUBLISHED: 2021-07-26
Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.