Get to grips with DevSecOps – and address security flaws much more quickly
The number of vulnerable applications in an organisation’s ecosystem remains at a ‘staggeringly high’ level according to new research – but putting DevSecOps practices into action appear to have some benefits.
That’s according to a report from CA Veracode. The latest State of Software Security report – CA Technologies having acquired Veracode last year – gives a ‘promising’ verdict on how DevSecOps can provide better organisational security and efficiency.
DevSecOps involves bringing security into the DevOps fold, and making security testing a natural part of the development process. According to the study, which examined fix rates across 2 trillion lines of code, more than 70% of flaws were still there one month after being discovered. 55% had not been remediated three months after discovery. One in four severity flaws rated ‘high’ or ‘very high’ had not been addressed within 290 days of discovery.
More than 85% of all apps analysed contained at least one vulnerability following the first scan, with more than 13% containing at least one very high severity flaw.
Writing for sister publication CloudTech in April, Aruna Ravichandran, vice president of DevOps marketing at CA Technologies, argued the business case for DevSecOps ‘couldn’t be clearer’. Business benefits noted by early adopters include accelerated time-to-market, improved competitive advantage, and healthier top and bottom lines. “It drives business performance because security cannot be an afterthought,” wrote Ravichandran.
“Security-minded organisations have recognised that embedding security design and testing directly into the continuous software delivery cycle is essential to achieving the DevSecOps principles of balance of speed, flexibility and risk management,” said Chris Eng, CA Veracode vice president of research. “Until now, it’s been challenging to pinpoint the benefits of this approach, but this latest State of Software Security report provides hard evidence that organisations with more frequent scans are fixing flaws more quickly.
“These incremental improvements amount over time to a significant advantage in competitiveness in the market and a huge drop in risk associated with vulnerabilities,” added Eng.
You can read the full report here (email required).
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.
- » How the IT world wised up to the need for tech that ‘just works’
- » Commoditising cybercrime: The rise of ransomware-as-a-service
- » WhiteHat Security reveals how enterprise security vulnerabilities are introduced via traditional applications
- » The real deal on cybercrime, breach timelines, and mounting a proactive defence
- » Symantec acquires Appthority to help secure the modern endpoint