Open source vulnerabilities boost DevSecOps investments

Last year's huge security breach in the systems of US-based credit reporting agency Equifax was not a once-off anomaly of poor cyber hygiene.

This is according to Derek Weeks, president and DevOps advocate at Sonatype.

"Equifax was not alone," Weeks said, referring to the breach that resulted from a hack targeting vulnerable open source components. It exposed sensitive information, such as social security numbers and addresses, of more than 143 million Americans and shook the open source community worldwide.

Weeks was commenting on the results of Sonatype's fifth annual DevSecOps Community Survey, which revealed that breaches blamed on open source software components rose by 55% year-on-year. In fact, almost one third (31%) of the enterprises represented by the over 2 000 IT professionals surveyed had experienced suspected or verified breaches in the past year.

The 2018 survey was undertaken by several organisations involved in software development security to highlight the state of open source security. The survey shares practitioner perspectives on evolving DevSecOps practices, shifting investments and changing perceptions.

Gartner defines DevSecOps as a practice that aims at integrating security into every aspect of an application lifecycle, from design to development, testing, production and ongoing operations.

The research found that there is a growing 'security mindset' among survey respondents, with mature DevOps practices 338% more likely to integrate automated security than organisations with no DevOps practice.

This year's survey also found that investments in open source governance (44%), container security (56%) and web application firewalls (58%) were noted as the most critical to organisations pursuing DevSecOps transformations.

Nevertheless, with breaches increasing 55% in the past year, there is clearly a lot more work that has to be done by developers and security teams.

"As application breaches tied to open source components jumped more than 50% year-over-year, those investing in DevSecOps showed 85% higher levels of cyber readiness, compared to those who aren't," said Wayne Jackson, CEO of Sonatype.

"It's evident that recent high-profile breaches, such as that experienced by Equifax, have heightened investments in DevSecOps. The survey also revealed strong investments from organisations striving to stay ahead of May 2018's 'secure by design' requirement stipulated within the EU's General Data Protection Regulation (GDPR)."

Other key findings from the survey include:

• 77% of mature DevOps organisations have open source policies in place, with a 76% adherence rate. Conversely, only 58% of respondents without mature DevOps practices had a policy, with a 54% adherence rate, revealing that adding automated governance to DevSecOps is difficult to ignore.

• 59% of mature DevOps organisations are building more security automation into their development processes as focus on GDPR compliance grows.

• 88% of those with mature DevOps practices are investing in application security training, while 35% with immature practices said they had no access to security training. This finding points to stronger cybersecurity readiness postures of those investing in DevOps.

• 63% of respondents with mature DevOps practices say they leverage security products to identify vulnerabilities in containers, as these components become more ubiquitous in modern IT landscapes.

Download the full survey here: https://www.slideshare.net/SonatypeCorp/2017-devsecops-survey