Check Point® Software Technologies Ltd. announced its position as a leader in The Forrester Wave™: Enterprise Firewalls, Q4 2024 report.
You can't open a browser these days without reading another story about a ransomware attack or a newly discovered software vulnerability putting thousands at risk. There's no shortage of such incidents, and while fingers will always find a target to point at, there's plenty of blame to go around. In fact, recent research conducted by ESG and sponsored by Mend.io found just 52% of companies can effectively remediate a critical vulnerability — and even fewer (42%) are confident in their ability to manage the security and compliance risks associated with open-source software.
Frankly, that's alarming. And it begs lots of questions about the challenges those organizations are facing. What I find more interesting is the other 48% — the organizations that can effectively remediate a critical vulnerability. What are they doing right that others can learn from?
It turns out, they're embracing DevOps with arms wide open. The research revealed organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to have extensively embraced DevOps (46% vs. 20%).
Use DevSecOps Tools and Processes to Automate Security Checks
We know DevOps brings tremendous benefits and efficiencies to the development process, so it stands to reason incorporating security into DevOps processes and developer workflows should have a similar impact on remediation. The research corroborates that theory, finding that organizations able to keep pace with vulnerabilities are 3.3x more likely to have extensively incorporated security into development processes.
These high functioning security organizations have incorporated application security practices into DevOps with an eye toward automating security checks. In the examples below, you'll see how organizations that effectively remediate vulnerabilities (first number) compare against those who cannot remediate effectively (second number).
■ Automate the identification and remediation of configuration and software vulnerabilities before deployment to production (78% versus 61%).
■ Apply runtime API security controls (79% versus 58%).
■ Automate the identification and remediation of configuration and software vulnerabilities before deployment to production more often (78% versus 61%).
■ Discover and inspect APIs in source code (72% versus 61%).
■ Apply runtime threat prevention controls (e.g., anti-malware, application control, virtual patching, intrusion prevention, 73% versus 62%).
■ Log all changes for compliance audits (i.e., compliance-as-code, 70% versus 51%).
■ Apply dependency management for open source components (64% versus 54%).
■ Use software composition analysis (SCA) tools to inventory and audit third-party software components to identify and remediate vulnerabilities (60% versus 44%)
Shift Left, Collaborate, and Listen
In the past, with monolithic applications and waterfall development processes, security teams held responsibility for testing, finding, and remediating security issues. However, as more security practices are integrated with modern DevOps processes, it's no surprise the onus for application security is falling on developers. Indeed, 49% of organizations are putting all or most of the responsibility of their application security on their developers. But that's not necessarily a bad thing, as the data also points to developer accountability driving stronger collaboration between these groups.
For organizations efficient at remediation, the research found more than half (52%) encourage collaboration between development, security, and operations. And the earlier collaboration starts in the software development lifecycle (SDLC), the better. Organizations that began collaboration during the "requirements and design" phase reported a lower average of 2.3 serious security incidents, compared with 3.2 incidents experienced by organizations that engaged in collaboration later in the SDLC. From this, we can conclude early-stage teamwork can bolster security measures and minimize vulnerability-related risks.
Why It Matters
When it comes to application security, organizations only care about one thing: decreasing or eliminating security incident rates. Companies that can keep up with critical vulnerabilities succeed with the ultimate KPI for application security programs: lower security incident rates. These organizations were nearly twice as likely to say they have not experienced any serious security incidents tied to a software vulnerability/web application exploit internally developed applications over the last 12 months. Examining the characteristics and experiences of those organizations that can remediate vulnerabilities effectively, it's pretty clear that DevSecOps delivers what matters.
Industry News
Sonar announced two new product capabilities for today’s AI-driven software development ecosystem.
Redgate announced a wide range of product updates supporting multiple database management systems (DBMS) across its entire portfolio, designed to support IT professionals grappling with today’s complex database landscape.
Elastic announced support for Google Cloud’s Vertex AI platform in the Elasticsearch Open Inference API and Playground.
SmartBear has integrated the load testing engine of LoadNinja into its automated testing tool, TestComplete.
Check Point® Software Technologies Ltd. announced the completion of its acquisition of Cyberint Technologies Ltd., a highly innovative provider of external risk management solutions.
Lucid Software announced a robust set of new capabilities aimed at elevating agile workflows for both team-level and program-level planning.
Perforce Software announced the Hadoop Service Bundle, a new professional services and support offering from OpenLogic by Perforce.
CyberArk announced the successful completion of its acquisition of Venafi, a provider of machine identity management, from Thoma Bravo.
Inflectra announced the launch of its AI-powered SpiraApps.
The former Synopsys Software Integrity Group has rebranded as Black Duck® Software, a newly independent application security company.
Check Point® Software Technologies Ltd. announced that it has been recognized as a Visionary in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.
Harness expanded its strategic partnership with Google Cloud, focusing on new integrations leveraging generative AI technologies.
OKX announced the launch of OKX OS, an onchain infrastructure suite.