DevSecOps Needs Are Shifting in the Cloud-Native Era

With the continued adoption of cloud-native technologies, there is an apparent need for organizations to shift DevSecOps approaches, according to a new report from Enterprise Strategy Group (ESG).

ESG's report, which was sponsored by ArmorCode, reveals a paradigm shift in application security posture management (ASPM) for cloud-native environments. The comprehensive study, "Modernizing Application Security to Scale for Cloud-Native Development," surveyed 350 IT, cybersecurity, and application development professionals across North America, uncovering urgent modernization needs in AppSec practices.

Key findings from the survey include:

"Not completely surprising because of the buzz around AI and because it's new, but it was interesting to see the data on the concern and need to address AI," Melinda Marks, practice director at ESG, told ITPro Today.

Related:The DevSecOps Model: What You Need To Know

The report found that 64% said they are currently using GenAI or chatbot tools to help with development, 21% plan to use it, and 12% are interested in using it.

"This means AppSec needs to address it with policies or controls to ensure secure usage, but it also impacts development speed and efficiency," Marks said.

DevSecOps Needs to Better Secure Secrets

A cornerstone activity for any DevSecOps team is to secure secrets — that is, the passwords and access credentials that allow access to services and applications.

Marks noted that despite many respondents having tools in place for secret scanning or detection, the highest number of incidents (32%) were from secrets stolen from a repository.

The study also included data on frequency of usage of tools. She said that it showed that scanning takes place periodically, including daily, multiple times per week, or weekly, but this was not aligned with code pushes or development processes.

"So, this is an area for much improvement as scanning takes resources and time and should align better with developer workflows," Marks said.

Time for a Vendor-Independent Governance Layer in DevSecOps

Related:Making the Leap from IT Operations to DevSecOps Engineer

The study mentions the concept of a "vendor-independent governance layer" for application security. It's an approach that potentially could yield significant benefits to DevSecOps teams.

Marks said she has seen application security teams implement multiple tools to cover different elements. For example, there is IaC scanning, Source Code Analysis (SCA), Dynamic Application Security Testing (DAST), tools for setting policies, secrets scanning, API security, and more. These tools can come from open source, cloud service providers, or third-party security vendors.

Having so many tools can introduce such challenges as gaining consistency across development teams, dealing with alert fatigue, or determining which remediations are needed and/or how remediation can mitigate risk.

"While there is an effort to gain the benefits of consolidation — one vendor they can rely on to cover multiple areas — we also see a preference for best-of-breed solutions," Marks said. "Instead, a third-party platform that can support multiple tools can serve as a governance layer to help orchestrate the usage of needed tools, collect data, and help security teams more efficiently gain the visibility they need, apply the right controls and processes, and determine needed actions."

Karthik Swarnam, chief security and trust officer at ArmorCode, explained that traditional application security is more focused on risk findings and analysis from individual and native tools. Meanwhile, having an independent governance layer provides a holistic view that looks across assessment sources from individual application scanners and solutions.

"This approach provides a collated view of findings from numerous tools and can create optimized remediation plans based on insight about the organization's greatest risks gained by having this overarching perspective," Swarnam told ITPro Today.

What DevSecOps Features Should Organizations Look For?

The report found that 98% of organizations are planning to invest in new security solutions.

As to what specific features or capabilities they should be looking for, Marks has a few ideas:

Visibility. First off, she suggests that organizations look for ways to gain the control and visibility they need to proactively mitigate risk, catching security issues as early as possible in the development process. That visibility will also enable the organization to monitor applications so it can efficiently detect and respond to security issues when they occur.

DevSecOps Integration. There is also a need to focus on tools that enable DevSecOps.

"The research showed the importance of DevSecOps and integrating security into developer processes, so this needs to be a priority," Marks said.

As such, she recommends that organizations look for tools with automation capabilities that can be incorporated into developer processes, including GitOps tools and pipelines, to increase efficiency for developers throughout the software development lifecycle.

Prioritization. Marks noted that the research showed the challenges of remediation once an application is deployed. As such, it's important to catch and remediate issues in build time before they deploy. She suggests that organizations look for tools that aren't disruptive and can help developers efficiently understand what they need to fix, and how to fix it.

Consistency. Security also needs control to ensure tools and processes are used consistently across development teams, and to have visibility into what processes are taking place in development.

"Once the application is running, security needs full visibility for detection, ways to more efficiently prioritize what needs attention, and better ways to collaborate with development and other teams for rapid remediation," Marks said.