Very few companies are securing the majority of their cloud-native apps with DevSecOps practices, according to new research.
According to findings from ESG and Data Theorem, only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices today.
However, 68% of companies are expected to be securing 75% (or more) of their cloud-native applications with DevSecOps practices within two years. The research analyzed 371 responses, and according to Doug Cahill, senior analyst and group practice director of cybersecurity for ESG, while organizations have started, there is more work to be done when it comes to securing their cloud-native apps with the benefits DevSecOps offers.
He said: “Organizations should consider newer approaches to securing their cloud-native apps, particularly solutions that address API-related vulnerabilities, which tops respondents’ minds when identifying their top threat concern.
Doug Dooley, Data Theorem COO, said that as production workloads are shifting to public cloud platforms, and organizations are quickly adopting serverless functions, they need to understand the associated risks and new threat model they are facing, and the means of addressing cloud native and API risks.
Asked by Infosecurity if they are seeing more companies adopt DevSecOps practices at the moment, or planning to adopt that strategy, Dooley said that security automation is gaining momentum for apps that are run by DevOps teams.
“We are still a few years away before it’s completely mainstream,” he said. “The culture of enterprise security has been a bit reluctant to embrace automation, but it’s the only way the best security teams are keeping up with the pace of DevOps.”
In an email to Infosecurity, Jeff Williams, co-founder and CTO of Contrast Security, said that most organizations only secure a small percentage of their application portfolio (cloud native or not) and they typically use application security tools, techniques and practices on only 10-20% of their apps and APIs which are determined to be the “critical,” “external,” public facing, or privacy related apps.
“To help remedy this gap, DevSecOps practices and tools are rapidly being adopted,” Williams said. “However, there is also a disturbing trend to shove the same old AppSec tools onto development teams that don’t have the skills to use them effectively under the guise of ‘shifting left’. Real DevSecOps requires a fundamental change to the way application security work is performed.”
Regarding the increase from 8% to 68% of cloud native app teams practicing DevSecOps, Williams said it is possible, as cloud native apps are close to the ideal scenario for DevSecOps. “However, it won’t happen without hard work to transform the people, process and pipeline in these teams."