A study published by Enterprise Strategy Group (ESG) in collaboration with Data Theorem, a provider of tools for securing application programming interfaces (APIs) and mobile applications, finds that while a lot of progress has been made in terms of adopting DevSecOps, most organizations still have a very long road ahead before they can claim DevSecOps practices have been implemented consistently across the organization.
Based on a survey of 371 IT and cybersecurity professionals at organizations in North America, the ESG study finds 55% of respondents have incorporated security into their DevOps processes, with another 22% planning to do so and 20% still in the evaluation stage. However, the study makes it clear that adoption of DevSecOps is still uneven at best. Only 33% are involving cybersecurity teams at the start of the application development process. And 39% of respondents report that members of their cybersecurity team are involved with more than half of cloud-native application projects today—a number that is projected to jump to 78% in the next two years.
The survey also notes only 8% of respondents are securing 75% or more of their cloud-native applications with DevSecOps practices today. Within two years, however, 68% of respondents expect to be securing 75% or more of their cloud-native applications using DevSecOps practices.
Doug Cahill, a senior analyst and group director at ESG, said the study makes it clear cybersecurity increasingly is being baked into applications rather than bolted on. The challenge now is finding a way to accomplish that goal at unprecedented levels of scale, he said.
The platforms on which applications are being built and deployed are more diverse than ever. Organizations are running workloads on virtual machines (34%), bare-metal servers (28%), containers (23%) and serverless computing frameworks (15%), according to the survey results. Only 10% are running more than 50% of those workloads on a public cloud, but that amount is forecasted to jump to 30% in two years.
Not surprisingly, the biggest cybersecurity challenges those organizations face is consistently managing cybersecurity across multiple platforms (43%), the cost and complexity of implementing cybersecurity controls across those platforms (35%) and lack of understanding of the threat vectors cloud-native applications face (35%).
In terms of container security concerns, aligning controls with deployment models (32%) and verifying images in registries meet compliance requirements (32%) were cited as the top two issues. In terms of serverless computing, application programming interface (API) vulnerabilities (32%) were the most cited. As far as budget allocations are concerned, vulnerability scanning of registry-resident container images (26%) narrowly beat out API vulnerabilities tools (25%).
Half of respondents also said they expect their organization will consolidate controls by leveraging suites and platforms procured from a smaller set of vendors or even a single vendor. Nearly three-quarters (73%) said they believe that their organization uses too many specialized products to secure cloud-native applications properly. Nevertheless, 59% said they prefer disparate point controls to achieve more functionality even if it means using multiple controls for different compute types/locations.
The most important attributes of products used to secure cloud-native apps identified by survey respondents included a rich set of pre-deployment capabilities, runtime capabilities and support across a mix of server workload types, with flexible deployment options.
The biggest issue, however, may be just the way these organizations are currently structured. The survey finds 82% of respondents have different teams assigned to secure cloud-native apps. Among those respondents, half plan to merge these responsibilities in the future, while 32% intend to keep them separate.
Put it all together and it’s apparent there’s a long way to go before DevSecOps nirvana might be achieved. The good news is most organizations have a least started the journey.