|DevSecOps Is Growing, But There's Room for Improvement|
|Written by Jeff Broth|
|Thursday, 11 May 2023|
The need to take security seriously and make testing a priority is increasing accepted by organizations. What are the challenges in adopting a shift left approach? Can AI help combat the threats to cybersecurity?
GitLab recently released its 7th annual Global DevSecOps Report, which reveals interesting findings about the global software development community and the growing prevalence of artificial intelligence. One of the most important details from this comprehensive study is the notable growth of security awareness in DevOps.
DevSecOps adoption is still far from ideal, with the GitLab report indicating that only 56 percent of organizations follow DevOps or DevSecOps practices. Nevertheless, there are many indications that organizations are already shifting mindsets when it comes to security, and this bodes well for cybersecurity in general.
Security as a priority
More than five thousand developers, chief information security officers, and IT leaders were surveyed in the GitLab report, and 71 percent of them say that at least 25 percent of their software security vulnerabilities were spotted and addressed by developers. This is an increase of 18 percentage points compared to the figure for the same metric recorded in the previous year.
More developers are getting involved with security as DevSecOps teams rise with the understanding that security is a shared responsibility. The “shift left” movement, which decrees moving testing activities earlier in the software development lifecycle is clearly gaining ground, with security incorporated in the software development process, not undertaken as a separate phase. Shifting security left is regarded as the top focus for the coming year (2023) among the survey’s participants. Nearly three-quarters of those surveyed say that their organizations have already shifted left or are planning to do so in the next few years.
Another interesting finding from the report is the growth of DevSecOps platform usage. Around 72 percent of those that follow DevSecOps practices say that they use a DevSecOps platform or they intend to use one in the following year. Organizations are acknowledging the effectiveness of these relatively new cybersecurity solutions.
Moreover, among the security professionals surveyed in the report, nearly 38 percent say that they perform duties in cross-functional security teams. This is a nearly 10 percent increase from the number recorded in the past year.
To be clear, though, DevSecOps does not instantly turn developers into cybersecurity experts. What happens is that the operations and security teams usually work together to handle security concerns early on instead of working conventionally, which propagates siloing. Some developers eventually learn cybersecurity skills, but it is the collaboration that drives DevSecOps.
Challenges in shifting left
Despite the gains, there are still lingering difficulties in going full-throttle toward security-minded development. One of the most crucial challenges is funding. An overwhelming majority of those surveyed, 85 percent, say that their organizations’ budget for security (in 2022) was either the same or less. GitLab does not necessarily characterize this funding stagnation or reduction as an outright negative. Instead, the report highlights “the urgent need to do more with less.”
This funding insufficiency, however, is expected to make shifting left more difficult in view of other challenges. As mentioned in the report, security professionals are frustrated over their inability to conduct security tests earlier and the difficulty in prioritizing vulnerabilities for remedial action. The solution to these challenges is the use of an advanced cybersecurity platform that facilitates earlier security testing and automates threat handling prioritization and remediation.
Getting a reliable cybersecurity platform entails additional expenditure or new security allocation from the IT budget. However, it is justifiable new spending, especially when taking into account the efficiency new cybersecurity technologies bring.
On the other hand, the report also suggests that the use of various tools in the development process hinders the move towards earlier security testing. Two-thirds of the developers surveyed say that they want their toolchains consolidated within the year. Meanwhile, over a quarter of the security professionals surveyed say that they find it hard to achieve consistent security monitoring because they are using multiple disparate tools. Many security professionals also assert that coming up with cohesive security insights across multiple tools is far from easy.
The report regards toolchain management as a “barrier to developer productivity.” Using many tools has its benefits across the software development lifecycle, especially when it comes to security validation or testing. However, it also has its drawbacks.
Harnessing AI with advanced cybersecurity solutions
Artificial intelligence in cybersecurity is a welcome development for DevSecOps adoption. According to the GitLab study, developers who utilize a DevSecOps platform are more likely to be harnessing AI technology for their security needs.
Around 65 percent of the developers surveyed say that they employ artificial intelligence in their security testing processes or that they are planning to use AI in the next few years. Meanwhile, a similar number of developers, at 62 percent, say that they employ AI in checking the integrity and security of their code. This marks a good enough improvement from the 51 percent logged in the past year. Also, there is a similar increase in the number of developers who say they use bots for code testing, 53 percent in 2023 from 39 percent in 2022.
Many cybersecurity solutions that support the implementation of DevSecOps practices already make use of artificial intelligence. In particular, they use machine learning to build context for the different threats identified by the system. Instead of solely relying on threat intelligence and rules, they use AI to examine actions and behaviors to establish what is normal or safe and detect those that are potentially anomalous and dangerous.
Artificial intelligence also plays a major role in automation. Many tasks can be automated through rules. Still, many more require human intervention or decision-making. With AI, tasks like code quality checking, vulnerability scanning, and web app scanning can also be automated. Code quality testing can be automated with the help of static application security testing (SAST) tools. For web app scanning, automation can be handled by dynamic application security testing (DAST) tools. Containers and dependencies can likewise be scanned automatically through tools like those from Anchore Engine.
Room for more improvement
DevSecOps has come a long way, but it still has a long and winding road to traverse. The challenges in shifting left are not easy to overcome. While cybersecurity solutions are rapidly advancing to help integrate security into the DevOps process, threat actors are relentless in finding ways to defeat security controls and seek out software vulnerabilities to exploit. The time when all organizations already embrace DevSecOps may never come, but that is not enough reason to stop aspiring to make security a big part of the development process. There is huge room for DevSecOps growth and many compelling reasons to shift left.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Saturday, 03 June 2023 )|