Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12:30 PM
Connect Directly

Self-Service Security for Developers Is the DevSecOps Brass Ring

DevOps teams with full security integration and self-service capabilities are 80% more likely to fix critical vulnerabilities in under a day, according to the ninth annual "State of DevOps Report."

Highly mature DevOps organizations that are able to integrate security functions into all stages of development are providing their developers with more self-service tooling and, consequently, they're fixing vulnerabilities faster as a result. So says the "2020 State of DevOps Report," which shows security maturity has slowly but surely improved across DevOps organizations this year.

The report is based on one of the longest running and comprehensive annual surveys of DevOps practitioners, this year querying 2,400 professionals from a range of development, IT, and information security roles within their organizations. A big theme this year is the role that self-service tools plays in DevOps success — not just for security, but also to enable engineering teams with self-service functions to provision systems, manage configurations, track performance, and tap into software component libraries. 

Related Content:

Getting Over the Security-to-Business Communication Gap in DevSecOps

The Changing Face of Threat Intelligence

New on The Edge: We Secured the Election. Now How Do We Secure Trust in Results?

The report shows the highest maturity organizations take an internal platform approach to deliver these self-service capabilities, often managed by a platform team who scales platforms to support the work of a mesh of different development teams and applications projects across an organization.

"Broadly speaking, the platform team provides the infrastructure, environments, deployment pipelines, and other internal services that enable internal customers — usually application development teams — to build, deploy and run their applications," the report explains. 

The survey shows 63% of organizations today use internal platforms, with about 71% of those using between two to five different internal platforms. Approximately four in 10 organizations say 50% or more of their developers now use internal platforms.

The ability for organizations to fold self-service security functionality into these internal platforms tends to be highly correlated to the degree to which security integration has been achieved across the software delivery life cycle. The survey asked respondents to pick which of the five phases of the life cycle where security is integrated: requirements, design, building, testing, and deployment. It found the ratio of organizations with two or more phases integrated has gone up from 63% last year to 70% this year. The ratio of organizations with complete integration now stands at 12%.

As the report explains, the self-service offering of security and compliance validation is intertwined with the push for greater integration. Meanwhile, among those with three to four phases of development integrated with security, 42% offer self-service security and compliance validation. And 58% those that have achieved full security integration across all five phases say they provide self-service security. Companies that have fully integrated security are more than twice as likely to offer self-service security as firms with no security integration.

"Integrating security at every stage of the software delivery life cycle is more than just shifting security checks to the left," the report explains. "Security integration requires a completely different approach, one that emphasizes cross‑team collaboration and empowers delivery teams to autonomously prevent, discover and remediate security issues."

Greater integration and use of self-service security seem to contribute highly to positive application security results. Only 25% of organizations with no security integration and low levels of self-service security capabilities say they can remediate critical security vulnerabilities in under a day. On the other side of the spectrum, 45% of organizations with full security integration and high incidence of self-service security offerings say they can fix critical flaws within a day.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, R390 driver branch, contains a vulnerability in its installer where an attacker with local system access may replace an application resource with malicious files. Such an attack may lead to code execution, escalation of privileges, denial of service, or...
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the program dereferences a pointer that contains a location for memory that is no longer valid, which may lead to code execution, denial of se...
PUBLISHED: 2021-04-21
NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption.
PUBLISHED: 2021-04-21
NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 driver branch, contains a vulnerability where the software uses a reference count to manage a resource that is incorrectly updated, which may lead to denial of service.
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel driver (nvlddmkm.sys) where a NULL pointer dereference may lead to system crash.