The 5th annual DevSecOps community survey for 2018 from Sonatype reveals heightened interest in DevSecOps practices after the recent surge of high profile breaches, as well as highlights security integration statistics among teams with mature DevSecOps workflows. In this blog post, we’ll discuss some of the important findings from the survey of 2,076 IT professionals and introduce the Container Analyzer Service, a new Tripwire solution which directly ties into your DevOps pipeline. Of organizations surveyed, 33 percent suffered verified breaches stemming from vulnerabilities in open source components or web applications within the last 12 months, a 121 percent increase since the survey began in 2014. These and other high profile breaches led 73 percent of respondents to affirm an increased interest in DevSecOps practices including increased investment and implementation. So, where is this increased investment going? When respondents with mature DevOps practices were questioned about where in their DevOps cycle automated application security testing is performed, those answering “throughout the process” grew by a massive 35 percent. There was also an increase in automated security investment of 15 percent over 2017. Answers for the design, development, test, pre-release, and production phases also grew between 12 and 30 percent year over year. Another driver for increasing automated security in the software development lifecycle amongst many organizations was the drive to be compliant with the “secure by design” requirement of the European Union General Data Protection Regulation (GDPR), with 59 percent noting they are building more security automation into the pipeline. These statistics show an increased awareness of the need for continuous security in the DevOps pipeline, and those with mature practices are rapidly adopting automated security in multiple DevOps phases. They are 338 percent more likely to integrate automated security than organizations with no DevOps. One notable statistic is that 56 percent of respondents with a mature DevOps practice rated Container and Application Security tools as critical to their organizations. This is more than double the response rate of those without a DevOps practice, showing a clear shift to containerization when DevOps has been embraced. Aligned with respondents' emphasis on tools, Tripwire recently announced the early access program for the Container Analyzer Service (CAS). This new DevOps solution is designed to integrate into the build phase of a DevOps process, “shift left,” and evaluate Docker images for vulnerabilities prior to deployment. Along with container scanning, 33 percent of respondents in Sonatype's survey rated dynamic application analysis as a critical component in their organizations. Fortunately, the Container Analyzer Service has the ability to perform deep dynamic vulnerability scans, finding vulnerabilities which may be missed by other scanners that evaluate only packages. This adds the capability of discovering runtime vulnerabilities, such as SQL Injection in web applications or vulnerabilities in services not installed via packages. At the same time, automated security in the DevOps workflow is an indicator of maturity amongst DevOps organizations. Sixty-three percent of survey respondents in mature DevOps organizations revealed they are leveraging tools to find vulnerabilities in containers. Towards that end, tools such as the Container Analyzer Service can help organizations secure the pipeline and reach DevSecOps maturity. Along with the Container Analyzer Service, Tripwire also provides integration with the DevOps toolchain for initiating scans, securing the build pipeline infrastructure, and monitoring for changes throughout the continuous deployment life cycle. To learn more about adding Tripwire solutions to your DevOps toolchain, click here.
