Only 30% of Orgs Fully Implement DevSecOps

With pressure to release more quickly, security is shifting to the left within the pipeline of ongoing development in most organizations. This necessity is increasing with the number of cyber attacks. However, a lack of training and poor vision hinder many DevSecOps launches, according to a recent CSA study.

DevSecOps is still a relatively new practice and has not yet reached maturity in most organizations. Although nearly all companies are on their way, only 30% of security professionals say they fully implement DevSecOps in practice today. This leaves most organizations in a state of thinking and planning in DevSecOps.

The CSA recently released its Secure DevOps and Misconfigurations 2021 report which was commissioned by Trend Micro. The report found that misconfigurations usually originate from the default security settings. The lack of internal routing and access to security resources usually hampers DevSecOps maturity as well.

Below, I’ll review other key points from the report to see how they can inform organizations as they transition to DevSecOps implementation.

DevSecOps approval status

DevSecOps aims to increase security around rapid deployment. It literally puts security in DevOps by shifting security automation to the left and eliminating silence between DevOps and IT security teams.

While most engineers are aware of the benefits of DevSecOps, condition The DevSecOps journey for each organization varies greatly. While an impressive 90% of organizations are at some point in the journey towards DevSecOps, only 30% are implementing DevSecOps while 24% are in the planning stage, 18% are designing and 18% are still refining their DevSecOps strategy. More than one in ten security professionals say their team has no plans to invest in DevSecOps at all.

Looking ahead, 42% said they will fully implement DevSecOps within the next 12 months. But due to its current nascent state, misconfigurations still persist. The main reason cited for these misconfigurations was defective or lacking internal routing (33%).

Many professionals say that there is simply not enough training, support, or internal knowledge about vulnerabilities and misconfigurations. Other major causes of misconfiguration include unsafe defaults (18%) and deprecation (16%).

Beyond misconfigurations, groups also report challenges with identity, authorization, and access. Ensuring the correct privileges is vital to avoid escalation attacks, which is a prevalent problem. Between 2019 and 2020, 80% of businesses experienced a data breach of some sort, many of which were due to ill-configured access controls. OWASP also reported that broken authorization is a major security vulnerability for high-traffic Web API endpoints.

Common Threat Mitigation Practices

To mitigate these threats, development and security teams must maintain best practices, however some issues prevent DevSecOps from appearing. For example, 60% of security professionals say their biggest challenge is insufficient visibility into security or compliance vulnerabilities — this is by far the most common challenge — and 11% also cited inconsistent cloud account setup. Finally, 10% say that slow, time-consuming and/or inadequate architecture is holding them back.

One way to mitigate threats is to provide routine security reviews frequently. However, it is difficult to set a specific standard here, as the frequency with which organizations review cloud infrastructure for weaknesses or misconfigurations varies widely. Currently, 22% perform such security reviews daily, 22% monthly, 18% weekly, and 23% quarterly, according to the survey. This rate is likely to increase as DevSecOps becomes more common and automated in the development lifecycle.

Staying up to date with modern security frameworks is another aspect that affects DevSecOps adoption; Organizations tend to follow multiple frameworks to inform their security strategy. More than three-quarters (78%) follow the National Institute of Standards and Technology (NIST) guidelines, 67% follow the Center for Internet Security (CIS) standards, 66% follow the Cloud Security Alliance (CSA), 54% follow the International Organization for Standardization (ISO) and 44% said they follow Amazon Web Services (AWS) security recommendations.

For example, NIST, the government-run standards-setting body, recently developed cybersecurity guidelines that recommend the use of a zero-trust network and cross-departmental service. These security guidelines can be viewed as architectural standards, especially for large, highly regulated industries.

DevSecOps Training Types

Finally, investing in community resources and training is another way to increase DevSecOps awareness. Only half of the survey respondents reported that their resources for DevSecOps best practices were moderately available – thus, the onus is on leaders to democratize this knowledge within their organization.

The majority of respondents (81%) cited articles and online training as the primary form of learning about cloud security tools and vendors. Workshops, conferences and webinars follow closely. Organizations are also adopting many internal knowledge sharing methods in response to incidents. 85% of them said they perform awareness training followed by tabletop exercises (52%), attack simulation (45%) and protocol or response framework exercises (37%).

The future DevSecOps in the cloud

It looks like most teams are still crafting their DevSecOps strategy. But looking ahead, 42% said they will fully implement DevSecOps within the next 12 months. At the same time, more cloud clouds are expected across the industry.

Currently, 40% of organizations have between 41% to 99% of their workloads in the public cloud. And 55% of organizations will have 41% to 99% of their workloads in the public cloud in the next year. The type of workloads is also likely to evolve in the coming year, as more organizations move to container platforms, job as a service, and other serverless capabilities. To reap the full benefits that these new technologies promise, organizations must undoubtedly respond to a new class of vulnerabilities in cloud-native.

About the report

The Cloud Security Alliance (CSA) is a non-profit organization whose mission is to widely promote best practices for ensuring cybersecurity in cloud computing and IT technologies. The Secure DevOps and Misconfigurations survey was conducted from July 2021 through September 2021 and collected over 900 responses from a global pool of IT security professionals working in various sectors and organizational sizes. For a full copy of the report, you can swap some personal information to download as a PDF here.

Leave a Comment