New Synopsys Research Reveals Vast Majority of Organizations Report DevOps Delays Due to Critical Security Issues
Synopsys, a leading software security company, has released its “Global State of DevSecOps 2023” report, shedding light on the impact of critical security issues on DevOps delivery schedules. Based on a survey of over 1,000 IT professionals worldwide, including developers, application security professionals, DevOps engineers, and CISOs, the report highlights the challenges organizations face in implementing effective DevSecOps practices.
According to the survey, a staggering 80% of respondents reported that a critical security issue in deployed software had affected their DevOps delivery schedule in the past year. This finding underscores the importance of implementing DevSecOps, a framework that integrates security testing throughout the software development life cycle (SDLC). By embedding security measures at every stage, organizations can significantly reduce the number of vulnerabilities and exploitable security issues in their applications.
While the report reveals that 91% of organizations have adopted some level of DevSecOps practices, it also highlights the barriers they face in effectively implementing these methods, particularly at an enterprise scale. One key challenge identified is the integration and prioritization of results from multiple application security testing tools used by teams. Additionally, enforcing security and compliance policies automatically through infrastructure-as-code emerged as a critical factor for the success of security programs, as cited by respondents.
The report also delves into the use of artificial intelligence (AI) in software security. Interestingly, 52% of respondents stated that they actively use AI to enhance their organization’s software security measures. However, 76% expressed concerns about potential errors or issues with AI-based cybersecurity solutions. This finding highlights the need for organizations to strike a balance between leveraging AI’s capabilities and addressing the associated risks.
Another key finding is the time it takes organizations to remediate critical security risks and vulnerabilities. The survey reveals that 28% of respondents reported a patching timeline of up to three weeks, while 20% stated it could take up to a month. This is concerning, considering that most exploits appear within days. Organizations need to prioritize timely remediation to minimize the window of opportunity for potential attacks.
The report also examines the usefulness of various application security testing tools. Dynamic application security testing (DAST), interactive application security testing (IAST), static application security testing (SAST), and software composition analysis (SCA) were all regarded as useful by at least two-thirds of respondents. SAST emerged as the highest-regarded tool, with 72% finding it useful, closely followed by IAST (69%), SCA (68%), and DAST (67%).
Interestingly, the survey reveals that security testing responsibilities are shared equally between internal security teams and development/engineering teams. Software developers and engineers (45%) are just as likely to be tasked with performing security tests as internal security team members (46%). Additionally, one-third of organizations are enlisting external consultants to supplement the efforts of internal teams, highlighting the collaborative approach to software security.
Synopsys, with its comprehensive portfolio of software security products and services, is at the forefront of transforming the way development teams build and deliver software. Their solutions enable organizations to accelerate innovation while addressing business risk. By leveraging Synopsys’ expertise, companies can build trust in their software and ensure the highest level of security.
In conclusion, the “Global State of DevSecOps 2023” report by Synopsys provides valuable insights into the challenges and opportunities surrounding software security. As organizations strive to implement effective DevSecOps practices, it is crucial to address the barriers identified in the report and leverage the right tools and methodologies. By doing so, companies can enhance their software security measures, reduce vulnerabilities, and deliver high-quality applications with confidence.