Organisations plan to invest in DevSecOps in 2023, and the level of urgency for them to do so has grown.
In a recent survey conducted by the Neustar International Security Council (NISC), 93% of participating information technology and security professionals reported that DevSecOps would be a significant budgeting priority in the coming year, with 55% emphasising it would be a very significant priority with their organisation.
Additionally, 86% of respondents agree that the urgency to prioritise DevSecOps has increased within their organisation over the past 12 months. The top three factors driving this urgency were growing risk driven by accelerating digitisation of their business (60%), the proliferation of high-profile supply chain attacks across the industry (53%), and an increasingly complex and rigorous regulatory and compliance landscape marked by growing liability for their organisation should customers or partners be put at risk.
Carlos Morales, senior VP of solutions at Neustar Security Services, said: “DevSecOps has become a high priority for organisations as they look to better establish security as a central tenet through every phase of the software development lifecycle and ensure every release has security baked into the code.
“By making security a shared responsibility across development, operations and security teams, DevSecOps should help better position organisations to identify potential vulnerabilities early in the process – ideally before being put into production – and save them from much bigger headaches down the line.”
Application vulnerabilities can be costly, both in resources allocated to fix security gaps and in revenue should a breach result in lost business and confidence. Among NISC survey participants, 92% agreed – 40% strongly so – that companies should face consequences if their software is found to be unsound or insecure. Many favored government interventions, with approximately half (51%) saying government bodies should force the culprit to implement more rigorous security measures and adopt DevSecOps, while nearly four-in-ten (38%) felt government bodies should punish the offending company with sizable fines. A strong proportion of respondents were also in favour of recourse for impacted companies.
50% felt the liable party should foot the bill for all mitigation and remediation costs by impacted downstream organisations, while 44% said downstream companies or customers relying on the vulnerable software should be able to file suit for damages. Moreover, 93% of organisations agree that federal mandates for software supply chain security controls are a good idea and should be implemented broadly, and more than one-third (36%) feel strongly about the prospect.
While more than nine in 10 organisations reside somewhere on the spectrum between building and fully implementing a formal DevSecOps strategy, only 13% of surveyed participants confirmed that their organisation has fully implemented their strategy. Almost one-third (29%) are in the process of implementing a strategy, while 15% are on the cusp of implementation and 35% are still in the process of building a formal strategy.
Various drivers are contributing to organisations’ adoption of DevSecOps. Nearly three quarters (72%) of respondents identified improving their ability to discover, profile and monitor a growing inventory of applications and APIs through automated processes as one of the three most important drivers of their adoption of DevSecOps. Other important drivers of adoption include the need for more thorough code monitoring to better detect vulnerabilities throughout development, testing and operations (64%), driving a more robust security-centric culture for the organisation (63%), and better compliance monitoring (62%).
Despite the growing importance of adopting DevSecOps, a range of factors are holding organisations back from doing so successfully. Chief among them is the shortage of security talent needed to implement the programme, as cited by 42% of respondents. Other factors detracting from efforts include the organisational culture (37%), tool incompatibility (36%), difficulty in finding a project champion or shared responsibility for the initiative (33%), and a lack of buy-in from senior leadership (29%).
In other security concerns, professionals during the reporting period of July and August 2022 remained focused on the potential for DDoS attacks, which were identified by 21% as their highest perceived threat. Similar to past survey periods, system compromise and ransomware followed as top concerns among 20% and 17% of respondents, respectively. Also similar to last period, ransomware was perceived to be an increasing threat among 75% of survey respondents, while generalised phishing jumped in visibility and was on the radar for 74% of participants. DDoS attacks, targeted hacking and social engineering via email closely followed, reported as increasing by 72%, 71% and 70% of surveyed professional, respectively.
DDoS attacks continue to be prevalent, and 86% of enterprises surveyed indicated that they have been on the receiving end of a DDoS attack at some point, a one-percentage-point increase over the previous survey period. The majority (56%) outsource their DDoS mitigation, and most (62%) indicated that mitigation of attacks typically occurred between 60 seconds and 5 minutes, consistent with previous survey findings.
The NISC survey was conducted in September 2022 and reflects respondents’ activity and concerns during July and August 2022. The survey enlisted feedback from senior information technology and security professionals from across six EMEA and US markets.
The Neustar International Security Council is a group of select cybersecurity leaders across key industries and companies. Through face-to-face events including an annual summit, quarterly thought-leadership seminars and regional roundtables, members learn and share the latest trends from leading experts and peers.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.