Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/27/2019
11:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Report Predicts DevSecOps Boom Over Next 2 Years

Sixty-eight percent of companies say they will be securing three quarters or more of their cloud-native applications with DevSecOps within two years.

Data Theorem commissioned Enterprise Strategy Group to survey 371 IT and cybersecurity professionals who had responsibility for cloud programs at organizations in North America to look at how data protection and security standards are changing because of the newer mixing of cloud applications alongside onsite processing.

They have just released the results as "Security for DevOps – Enterprise Survey Report."

It found that only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices today. That number rose to 68% of companies saying that they will be securing 75% or more of their cloud-native applications with DevSecOps practices in two years.

The surveyed organizations are mature cloud users in terms of public cloud services and/or containers. Survey participants represented a wide range of industries, including manufacturing, financial services, healthcare, communications and media, retail, government, and business services.

API security was the top area that was reported for current or projected incremental spend. API security was also reported as most important by respondents among the cloud-native application security controls, at 37%.

Showing how teams have divided, 82% of organizations have different teams assigned to secure cloud-native apps. Of this group, 50% of respondents' organizations plan to merge these responsibilities in the future, while 32% of respondents' organizations do not plan to merge these responsibilities.

Also, over half of respondents indicated their organization's software developers were already using serverless functions to some extent. Another 44% of the developers were either evaluating or planning to start using serverless within the next two years.

Due to a perception that existing security controls do not support cloud-native applications, the report found that many organizations have turned to a series of point tools managed by separate teams. However, this just exacerbates the complexity problem as 73% of respondents believe that their organization uses too many specialized products to properly secure cloud-native applications.

Organizations diverge as to the stage at which they introduce security controls to protect cloud-native applications. While more than one in five view the importance of pre-deployment and runtime security equally, 40% prioritize runtime controls, with the remaining 37% prioritizing a pre-deployment approach.

When asked what are the most important pre-deployment cloud-native application security controls, software vulnerability scanning of registry-resident container images came in first at 26%. The next most important pre-deployment cloud-native application security control was API vulnerability management, at 25%.

Respondents felt that deployment flexibility and support for all types of servers and compute platforms were the top two answers (both at 38%) for the most important attributes of products used to secure cloud-native apps.

"ESG's industry report is aligned with what we've long suspected with organizations, and with what we have witnessed in the industry," said Doug Dooley, Data Theorem COO in a prepared statement. "Production workloads are shifting to public cloud platforms, and organizations are quickly adopting serverless functions. They need to understand the associated risks and new threat model they are facing, and the means of addressing these cloud native and API risks."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.