The Reality Reflected by the DevSecOps 2019 Survey Results

Brendon Macaraeg

Brendon Macaraeg is Director of Product Marketing at Signal Sciences. Previously with CrowdStrike and Symantec, he focused on evangelizing and marketing security offerings. Outside of work, Brendon keeps busy with his wife and kids enjoying outdoor activities.

The more things change in life, the more they stay the same. A cliche? Perhaps, but that truth is proven to a certain extent through the results of the 2019 DevSecOps Community Report.  The sixth edition of this annual report contains responses to 41 questions from over 5,500 IT professionals across from a dozen industries from finance to media to healthcare. 

Signal Sciences partnered with Sonatype, CloudBees, Twistlock, and Carnegie Mellon’s Software Engineering Institute on this year’s report and the results are telling of not only the challenges of moving fast to release code, but how the DevSecOps Elite are embedding security throughout the software development lifecycle (SDLC). I encourage you to get a copy of the report and reflect on how your organization integrates security tools and practices in your own development and operations processes.

Empowering DevOps teams to protect the web apps they work hard to design, develop and release is part of Signal Sciences DNA and our patented hybrid of next-gen WAF and RASP is built to handle the challenges from DevOps and cloud.  This blog focuses on a handful of the key findings in the report, but if you want a more in-depth discussion around the stats in the report, check out the on-demand webinar I hosted recently with Derek Weeks of Sonatype and X’auntasia Mabry of Duke Energy recently.  

Now on with some key takeaways from the 2019 DevSecOps Survey report!

Key Takeaway 1: Yet again this year, developers know security is important but lack time to dedicate to it.

No time for security | Sonatype

Time is clearly limited for developers—and this response did not change from 2018 DevSecOps Survey report. We hear frequently from our customers that there’s a lack of qualified candidates to fill roles that require security knowledge and expertise. So part of our mandate at Signal Sciences is to be a force multiplier for already stretched-thin teams that need to see and do more effectively.

Spending time prioritizing bugs with the most security value, writing security tests, participating in code reviews or applying automated security instrumentation in production to provide visibility are all key to releasing secure code and safeguarding against attacker exploits.

That 48% of survey respondents still can’t find enough time to dedicate to embedding security across the SDLC is telling:  both security and development teams are being asked to do more without more staff. That means they need to embed security earlier in the SDLC to avoid problems in later stages, especially in production. Even still, the advanced DevSecOps teams leverage automated security tools like our patented next-gen WAF and RASP security technology to get the visibility into web requests to automatically detect and block bad requests and let the valid requests through to their apps.

Key Takeaway 2:  One in four companies have experienced a breach in the last 12 months

Given that web layer attacks are still the top cause of all breaches this is not a surprising result.

Breach | Sonatype
The growing complexity of both how applications are distributed among infrastructure—from cloud, on-premise or hybrid environments—makes for a wider attack surface that introduces significant risk.

Combined with misconfigured databases or accounts that do not need escalated admin privileges to the various open source breach-inducing vulnerabilities (Struts 2 anyone?) there’s still ample opportunity for attackers to find a weakness in public-facing web apps.

This response also points to the need for organizations to regularly assess their people, process and tools as those are the heart of any effective security plan. This includes taking a hard look at the legacy WAF that runs less than 20% of the time in blocking in production: what real value is that WAF providing in terms of application protection? We’ve written at length in past blogs about the inherent weakness in legacy WAFs that rely on regex pattern matching and ever-expanding rulesets that struggle to keep up with rapid code releases to production.

If you have a legacy WAF as part of your appsec security tooling, you are putting your organization’s applications at risk—and increasing the likelihood of a breach with technology that can’t scale adequately and produces false positives.

Key Takeaway 3: Automated security enables faster feedback loops

This year’s survey sought to understand where automation is employed at each stage of the SDLC.  The results make it clear that advanced DevSecOps teams are now embedding security throughout the SDLC while those with no DevOps practices were still dealing with security and bolt-on practices later in the development lifecycle, but with less prevalence.  

Auto App Sec Tooling | SonatypeAutomated appsec tooling that creates feedback loops is key top empowering all teams—dev, ops and security—to be proactive security stakeholders.  Security should not be the only group alerted to potential security incidents: development and operations teams can be alerted and shown where potential issues can arise—and address them before a critical issue impacts the business.

These are just a few of the enlightening takeaways from the 2019 DevSecOps Survey report. To get the whole picture of how DevSecOps teams are embedding security in their development process and meeting the challenges of distributed software deployed across varied environments, do check out the webinar recording.

Make Automated Web Application Security Part of Your Team’s DNA

DevOps and DevSecOps is part of Signal Sciences DNA:  our product resulted from our founder’s adoption of DevOps practices and the need to embed security that worked fast where it mattered: where apps operate in any infrastructure. Signal Sciences protects against the full spectrum of threats your web applications and APIs actually face. We instrument for and defend against:

  • Account takeover
  • Business logic attacks
  • Application abuse and misuse
  • Bad Bots
  • Application DDoS
  • OWASP Top 10 like cross-site scripting and SQL injection attacks

Learn more about how our customers leverage Signal Sciences to embed security to protect their web layer assets or request a demo to see for yourself.