DevSecOps and Code Vulnerabilities

A new report on DevSecOps suggests that automated scanning of code for vulnerabilities or coding flaws is fast emerging as a useful security measure. In addition, respondents felt that interactive application security testing, software composition analysis and dynamic application security testing were all essentials in any software development lifecycle going forward. 

Conducted by Synopses, the “Global State of DevSecOps 2023” polled more than 1000 IT professionals across the world to understand strategies, tools and practices impacting the software security systems. It said, over 70% of the surveyed respondents said that automated scanning of code for vulnerabilities or coding flaws — static application security testing (SAST) — was a useful security measure. 

The report (download it here) also noted that SAST was closely followed by interactive application security testing (IAST) with 69%, software composition analysis (SCA) with 68%, and dynamic application security testing (DAST) with 67%. The IT professionals surveyed include developers, application security professionals, DevOps engineers and CISOs. 

Over 80% of survey respondents indicated that a critical security issue in deployed software impacted their DevOps delivery schedule in the last year. Implementing DevSecOps, a framework focused on embedding security testing throughout each phase of the software development life cycle (SDLC), is an established way to reduce the volume of critical vulnerabilities and exploitable security issues in production applications. 

“While a vast majority [91%] of organizations have adopted some level of DevSecOps practices, they continue to face barriers effectively implementing its methods, especially at enterprise scale,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. 

“Specifically, we’re noticing that organizations across the globe are struggling with integrating and prioritizing the results from the multiple application security testing tools used by their teams. They also struggle to enforce security and compliance policies automatically through infrastructure-as-code, a practice that was cited most often by respondents as a key factor of their security program’s overall success.”

Key findings from the report include: 

Most security professionals are already using AI –and even more are wary of its risks. A majority (52%) of survey respondents noted that they are actively using AI to enhance their organization’s software security measures. However, even more (76%) are “very or somewhat concerned” about potential errors or issues with AI-based cybersecurity solutions.

Remediation timelines for most organizations can span weeks.Twenty-eight percent of respondents said their organizations take as long as three weeks to patch critical security risks/vulnerabilities in deployed applications. Another 20% said it can take up to a month, even as most exploits appear within days.

Application security testing tools are seen as useful to at least two-thirds of respondents. When asked to gauge the usefulness of security tools and practices – including dynamic application security testing (DAST), interactive application security testing (IAST), static application security testing (SAST), and software composition analysis (SCA) – each tool included in the survey was regarded as useful by at least two-thirds of respondents. The report identifies SAST as the highest-regarded AST tool, with 72% indicating that they find it useful. That is closely followed by IAST (69%), SCA (68%), and DAST (67%).  

Security testing responsibilities are equally shared between internal security and development/engineering teams. Software developers and engineers (45%) are just as likely to be tasked with performing security tests on their organization’s business-critical applications and continuous improvement (CI) pipelines as internal security team members (46%). One-third (33%) of organizations are also enlisting external consultants to supplement the efforts of internal teams.