Majority Report DevOps Delays Due to Critical Security Issues
March 28, 2024

Over 80% of survey respondents indicated that a critical security issue in deployed software impacted their DevOps delivery schedule in the last year, according to the Global State of DevSecOps 2023 report from Synopsys.

Implementing DevSecOps, a framework focused on embedding security testing throughout each phase of the software development life cycle (SDLC), is an established way to reduce the volume of critical vulnerabilities and exploitable security issues in production applications.

"While a vast majority [91%] of organizations have adopted some level of DevSecOps practices, they continue to face barriers effectively implementing its methods, especially at enterprise scale," said Jason Schmitt, general manager of the Synopsys Software Integrity Group. "Specifically, we're noticing that organizations across the globe are struggling with integrating and prioritizing the results from the multiple application security testing tools used by their teams. They also struggle to enforce security and compliance policies automatically through infrastructure-as-code, a practice that was cited most often by respondents as a key factor of their security program's overall success."

Key findings from the report include:

Security Pros already using AI

Most security professionals are already using AI –and even more are wary of its risks. A majority (52%) of survey respondents noted that they are actively using AI to enhance their organization's software security measures. However, even more (76%) are "very or somewhat concerned" about potential errors or issues with AI-based cybersecurity solutions.

Remediation spans weeks

Remediation timelines for most organizations can span weeks. 28% of respondents said their organizations take as long as three weeks to patch critical security risks/vulnerabilities in deployed applications. Another 20% said it can take up to a month, even as most exploits appear within days.

AppSec Testing Tools Considered Useful

Application security testing tools are seen as useful to at least two-thirds of respondents. When asked to gauge the usefulness of security tools and practices — including dynamic application security testing (DAST), interactive application security testing (IAST), static application security testing (SAST), and software composition analysis (SCA) — each tool included in the survey was regarded as useful by at least two-thirds of respondents. The report identifies SAST as the highest-regarded AST tool, with 72% indicating that they find it useful. That is closely followed by IAST (69%), SCA (68%), and DAST (67%).

Security Testing is Shared responsibility

Security testing responsibilities are equally shared between internal security and development/engineering teams. Software developers and engineers (45%) are just as likely to be tasked with performing security tests on their organization's business-critical applications and continuous improvement (CI) pipelines as internal security team members (46%). One-third (33%) of organizations are also enlisting external consultants to supplement the efforts of internal teams.

Methodology: The new report from the Synopsys Cybersecurity Research Center is based on a survey conducted by Censuswide polling more than 1,000 IT professionals across the world — including developers, application security professionals, DevOps engineers and CISOs, as well as experts in technology, cybersecurity, and software development.

Share this

Industry News

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.

April 10, 2024

Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.

April 10, 2024

AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.

April 09, 2024

Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.

April 09, 2024

Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.

April 09, 2024

appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).

April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

April 09, 2024

DataStax announced innovative integrations with API extensions to Google Cloud’s Vertex AI Extension and Vertex AI Search, offering developers an easier time leveraging their own data.

April 08, 2024

Parasoft introduced C/C++test CT, a comprehensive solution tailored for large teams engaged in the development of safety- and security-critical C and C++ products.

April 08, 2024

Endor Labs announced a strategic partnership with GuidePoint Security.

April 08, 2024

Hasura announced the V3 of its platform, providing on-demand API composability with a new domain-centric supergraph modeling framework, a distributed supergraph execution engine and a rich and extensible ecosystem of open source connectors to address the challenges faced during integration of data and APIs.

April 04, 2024

DataStax has entered into a definitive agreement to acquire AI startup, Logspace, the creators of Langflow, an open source visual framework for building retrieval-augmented generation (RAG) applications.1