Aimed at examining the strategies, tools, and practices impacting software security, the just-released “Global State of DevSecOps 2023” report from Black Duck, is based on a survey conducted by Censuswide polling more than 1,000 IT professionals across the world. The following is a deep dive into key report findings.
According to the report, over 70% of the surveyed respondents said that automated scanning of code for vulnerabilities or coding flaws—static application security testing (SAST)—was a useful security measure. SAST was closely followed by interactive application security testing (IAST) with 69%, software composition analysis (SCA) with 68%, and dynamic application security testing (DAST) with 67%.
When asked 'how do development, operations, and security teams really feel about the application security testing (AST) tools they use?', all but 3% of the 1,000 respondents—all of whom hold roles in application/software development with a focus on cybersecurity—had major issues with the application security tools (AST) they use. In fact, the respondents were pretty evenly split across the board about the issues with their tools. As seen in the graphic below, the highest issue is separated from the lowest by only a few percentage points.
Challenges became even more apparent when respondents provided their answers to the query below
The respondents said that the AST tools they use do not prioritize resolution based on factors like exposure, exploitability, and criticality, are too slow to fit into continuous deployment release cycles, and are inaccurate and unreliable.
In the report’s introduction, the authors note that the term “DevSecOps” embraces several different disciplines, many of which have unique personas. And that means when it comes to “business priorities,” the term can mean different things to different personas.
For example, business leaders prioritize the need to understand how effective their AppSec tools are, whereas development and operations teams prioritize a centralized view of all issues. And although those are separate priorities, both align with the issue, “No way to consolidate/correlate results from different tools.” Security teams want to cut through the noise to prioritize critical issues quickly, so they cite such issues as “Inaccuracy/unreliability” and “High number of false positives.”
With no way to consolidate or correlate results from different security tests, security and DevOps teams spend too much time determining what needs to be fixed first. This is likely one of the reasons why nearly three-quarters of respondents note that their organizations can take anywhere from two weeks to a month to patch known critical vulnerabilities.
And failure to patch can quickly affect the bottom line. More than 80% of respondents said that dealing with critical vulnerabilities or related security issues of deployed software impacted their delivery schedules during 2022-23.
With participants from the U.S., U.K., France, Finland, Germany, China, Singapore, and Japan represented, the report covers topics including DevSecOps adoption, leading security practices, the importance of cross-functional teams for success, successfully measuring a security program, and the promises and pitfalls that AI might bring to DevSecOps. For organizations struggling to gain cohesion across myriad security tools while keeping pace with business demands, the Black Duck 2023 DevSecOps report is a must-read.
Uncover the strategies, practices, and tools that make up an effective DevSecOps program