Organizations plan to invest in DevSecOps in 2023, and the level of urgency for them to do so has grown.
In a recent survey conducted by the Neustar International Security Council (NISC), 93 percent of participating information technology and security professionals reported that DevSecOps would be a significant budgeting priority in 2023, with 55 percent emphasizing it would be a very significant priority with their organization.
Factors to consider
Additionally, 86 percent of respondents agree that the urgency to prioritize DevSecOps has increased within their organization over the past 12 months.
The top three factors driving this urgency were growing risk driven by accelerating digitization of their business (60 percent), the proliferation of high-profile supply chain attacks across the industry (53 percent), and an increasingly complex and rigorous regulatory and compliance landscape marked by growing liability for their organization should customers or partners be put at risk.
Identifying vulnerabilities
DevSecOps should help better position organizations to identify potential vulnerabilities early"
“DevSecOps has become a high priority for organizations as they look to better establish security as a central tenet through every phase of the software development lifecycle and ensure every release has security baked into the code,” said Carlos Morales, senior vice president of solutions at Neustar Security Services.
“By making security a shared responsibility across development, operations, and security teams, DevSecOps should help better position organizations to identify potential vulnerabilities early in the process ideally before being put into production, and save them from much bigger headaches down the line.”
Insecure software consequences
Application vulnerabilities can be costly, both in resources allocated to fix security gaps and in revenue should a breach result in lost business and confidence. Among NISC survey participants, 92 percent agreed - 40 percent strongly that companies should face consequences if their software is found to be unsound or insecure.
Many favored government interventions, with approximately half (51 percent) saying government bodies should force the culprit to implement more rigorous security measures and adopt DevSecOps, while nearly four in ten (38 percent) felt government bodies should punish the offending company with sizable fines.
Software supply chain security controls
A strong proportion of respondents were also in favor of recourse for impacted companies. 50 percent felt the liable party should foot the bill for all mitigation and remediation costs by impacted downstream organizations, while 44 percent said downstream companies or customers relying on the vulnerable software should be able to file suit for damages.
Moreover, 93 percent of organizations agree that federal mandates for software supply chain security controls are a good idea and should be implemented broadly, and more than one-third (36 percent) feel strongly about the prospect.
Implementing the DevSecOps strategy
Only 13 percent of surveyed participants confirmed that their organization has fully implemented its strategy
While more than nine in 10 organizations reside somewhere on the spectrum between building and fully implementing a formal DevSecOps strategy, only 13 percent of surveyed participants confirmed that their organization has fully implemented its strategy.
Almost one-third (29 percent) are in the process of implementing a strategy, while 15 percent are on the cusp of implementation and 35 percent are still in the process of building a formal strategy.
Drivers of adoption
Various drivers are contributing to organizations’ adoption of DevSecOps. Nearly three-quarters (72 percent) of respondents identified improving their ability to discover, profile and monitor a growing inventory of applications and APIs through automated processes as one of the three most important drivers of their adoption of DevSecOps.
Other important drivers of adoption include the need for more thorough code monitoring to better detect vulnerabilities throughout development, testing, and operations (64 percent), driving a more robust security-centric culture for the organization (63 percent), and better compliance monitoring (62 percent).
Factors for delayed DevSecOps adoption
Despite the growing importance of adopting DevSecOps, a range of factors are holding organizations back from doing so successfully. Chief among them is the shortage of security talent needed to implement the program, as cited by 42 percent of respondents.
Other factors detracting from efforts include the organizational culture (37 percent), tool incompatibility (36 percent), difficulty in finding a project champion or shared responsibility for the initiative (33 percent), and a lack of buy-in from senior leadership (29 percent).
Security concerns
System compromise and ransomware followed as top concerns among 20 percent and 17 percent of respondents
In other security concerns, professionals during the reporting period of July and August 2022 remained focused on the potential for DDoS attacks, which were identified by 21 percent as their highest perceived threat. Similar to past survey periods, system compromise and ransomware followed as top concerns among 20 percent and 17 percent of respondents, respectively.
Also similar to last period, ransomware was perceived to be an increasing threat among 75 percent of survey respondents, while generalized phishing jumped in visibility and was on the radar for 74 percent of participants. DDoS attacks, targeted hacking, and social engineering via email were closely followed and reported as increasing by 72 percent, 71 percent, and 70 percent of surveyed professionals, respectively.
DDoS attacks
DDoS attacks continue to be prevalent, and 86 percent of enterprises surveyed indicated that they have been on the receiving end of a DDoS attack at some point, a one-percentage-point increase over the previous survey period.
The majority (56 percent) outsource their DDoS mitigation, and most (62 percent) indicated that mitigation of attacks typically occurred between 60 seconds and 5 minutes, consistent with previous survey findings.
NISC survey
The NISC survey was conducted in September 2022 and reflects respondents’ activity and concerns during July and August 2022.
The survey enlisted feedback from senior information technology and security professionals from across six EMEA and U.S. markets.
Learn why leading casinos are upgrading to smarter, faster, and more compliant systems
- Network / IP
- Biometrics
- Office surveillance
- Digital video surveillance
- Office security systems
- Office security
- Industrial security
- Commercial security
- Security management
- Security policy
- Security installation
- Security tagging
- Security cameras
- Security camera systems
- Security monitoring system
- Facial recognition systems
- Network monitoring
- Video analytics
- Intrusion detection
- Identity management
- Fingerprint reader
- Industrial security systems
- Security software
- Security service
- Industrial surveillance
- Integration software
- Cyber security
- Crime prevention
- Crowd Management
- Corporate Security
- Indoor Security
- Data Security
- Network Video Recorders
- Digital Video Recorders
- Incident Management
- Cloud security
