It's been over 10 years since Shannon Lietz introduced the term DevSecOps, aiming to get security a seat at the table with IT developers and operators.
More organizations are looking to shift-left security to ensure that security is prominent in their development practices.
Even though nearly 30% of respondents said they deployed to production weekly, only 20% were assessing or testing for security vulnerabilities at a similar velocity.
Technology leaders and DevSecOps teams struggle to determine which security practices to prioritize and mature.
The SANS survey lists over 25 security practices and techniques that at least 50% of respondents said were useful.
Determining which security practices to focus on requires that we account for business goals, risks, development velocity, the technology stack, compliance requirements, and other factors.
The report lists top API security risks, including injections, authentication flaws, cross-site issues, API leaks, and broken access controls.
While many organizations have adopted the best practice of implementing APIs, some haven't fully shifted left and applied security practices during API development.
Today, there are many static code analysis tools, also called static application security testing tools, for DevSecOps teams to consider.
While SAST helps developers identify vulnerabilities before pushing to production, Dan Garcia, CISO at EDB, recommends adding dynamic application security testing capabilities.
If you're investing in software development, cloud-native architecture, and CI/CD pipelines, there's no excuse not to include code scanning capabilities to review code and highlight security vulnerabilities.
One is security observability to cover the full stack, including application, integration, and cloud infrastructure.
DevSecOps should also extend observability practices into the dataops and machine learning model realm, since issues in these domains can also impact reliability, performance, and security.
Building observability into MLops helps track security issues, such as threat actors triggering pipelines or manipulating data.
If every application, data pipeline, and ML model uses different observability naming conventions, practices, and tools, it complicates whether SREs and security operations centers can quickly identify and resolve security issues.
I highlighted three security practices likely to impact many DevSecOps teams and where continuous investment and standards can address many security risks.
The SANs report highlights many other application security practices that should already be commonplace in IT organizations, such as third-party penetration testing, security training, and implementing a web application firewall.
Other practices, such as container security scanning and cloud-native application protection platforms, are relevant when DevSecOps is implemented on modernized architectures.
The choice of which security areas to focus on isn't getting easier, but there are too many risks when IT bolts on security.
Instead, teams should devote priority to continuous DevSecOps security practices.
This Cyber News was published on www.infoworld.com. Publication date: Mon, 04 Dec 2023 10:43:05 +0000