DevSecOps adoption grows worldwide despite security concerns
DevSecOps methodology is an important, rapidly growing trend worldwide, with 63 percent of respondents to a new study reporting they are incorporating some measure of DevSecOps into their software development pipelines.
The survey of 1,500 IT professionals conducted by the Synopsys Cybersecurity Research Center (CyRC) and Censuswide also shows 33 percent have DevSecOps in a mature or widely deployed state in their business.
When adopting open source components security and a component's vulnerability to exploit are top-of-mind to 50 percent of respondents, and cited as the number one selection criterion when they vet a new open source component.
Just over half (51 percent) say it takes two to three 3 weeks for their organization to apply an open source patch, with 24 percent saying that it can take up to a month, even when the patch addresses a critical issue.
A full 52 percent of respondent organizations in the US also have had their software delivery schedule affected in the past year in order to address a critical open source patch, compared to 40 percent globally. Interestingly 46 percent of respondents note that media coverage of open source issues affects how their organizations manage open source risk.
"It's clear that unpatched vulnerabilities are a major source of developer pain, and ultimately business risk." says Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center. "The 'DevSecOps Practices and Open Source Management in 2020' report highlights how organisations are struggling to effectively track and manage their open source risk."
There's also little consensus on security tools. Even the tool with the highest adoption rate (web application firewall) is still only used by less than half of respondents. Only 38 percent of respondent organizations use software composition analysis (SCA) tools. While 47 percent of respondents' organizations say that they define standards around the age of open source components they use.
"Over half -- 51 percent -- say it takes two to three weeks for them to apply an open source patch," Mackey continues. "This is likely tied to the fact that only 38 percent are using an automated software composition analysis (SCA) tool to identify which open source components are in use and when updates are released. The remaining organisations are probably employing manual processes to manage open source -- processes that can slow down development and operations teams, forcing them to play catch-up on security in a climate where, on average, dozens of new security disclosures are published daily."
The full report is available from the Synopsis site.
Image credit: nd3000 / Shutterstock