New Data Reveals Organizations Take Inconsistent Approaches to Managing Flaws and Vulnerabilities as the Speed of Software Development Increases
BOSTON – October 8, 2019 – Organizations agree, building security into digital transformation initiatives is a priority—yet the recommended path to progress is unclear. These are the findings of a survey conducted by ZeroNorth, the industry’s first provider of risk-based vulnerability orchestration for applications and infrastructure.
For a full review and analysis of the survey findings, register to attend a live webinar on Friday, October 11, 1pm ET at https://go.zeronorth.io/ZNResearchRptWebinar.
The Importance of Digital Transformation and Security
Companies of all sizes and in all industries are experiencing the pains of digital transformation, with 79% of survey respondents indicating their organization already has related initiatives underway. All participants indicate the importance of digital transformation to the future of their organization, even those who have not yet embarked on a program. Further, identifying bugs, flaws and vulnerabilities throughout the software development lifecycle (SDLC) is considered “extremely” (58%) or “very” (42%) important to all participants.
A Clear Destination, Yet an Unclear Path
While digital transformation and security are clearly important, it appears there is no well-defined approach or best practice to ensure software security as digital transformation speeds up the development process. Many respondents rely on security scanning and testing tools to manage software risk; however, deployments remain wildly inconsistent. For example:
- Organizations rely on a wide range of scanning tools: 63% use six or more, with 9% reporting the use of over 30 tools.
- Few tools are used enterprise-wide. Network and vulnerability scanning are the most broadly employed but just barely surpass usage across 50% of all organizations. Vulnerability scanning is used by 51% of organizations, while network scanning comes in at 53%.
- Professionals don’t have a full picture about what tools are used in their organization. Beyond network and vulnerability scanning, respondents were asked about 10 other tool categories, and the lack of related knowledge is striking. For example, 25% do not know if their organization is using interactive application security testing (IAST), while 19% don’t know if they are using software composition analysis (SCA) or cloud middleware.
- There’s no clear agreement on where to focus scanning within the SDLC. Build/CI environments receive the most focus with 68% of organizations scanning there, while integrated development environments (IDEs) get the least attention, as cited by 46% of respondents. Source code repositories, container/artifact management and deployment all fall somewhere in between. In short, there’s no definitive area where organizations agree focus is needed.
- Ownership of scans is uncertain. There’s slight agreement that source code and IDEs should be owned by development teams—and container/artifact management and deployment should be owned by security—but even in these categories, only 40-50% of respondents agree. Overall, ownership between application security, development and security operations teams remains inconsistent.
Open Source: Effective but Underused?
The use of Open Source Software (OSS) testing and scanning tools is another area where organizations exhibit inconsistent approaches. Most respondents (84%) believe open source tools are equally or more effective than commercial tools. However, when asked about initiatives that are planned or underway as part of their organization’s digital transformation, participants agree OSS receives the least amount of focus, with projects underway at only 47% of organizations.
Cloud migration emerged as the most mature initiative, underway at 80% of respondent organizations, followed by DevOps (67%), CI/CD (62%) and microservices (62%). This result illustrates how not all aspects of digital transformation move at the same pace. This is somewhat expected, as cloud services are relatively simple to pay for and begin using. This shift is much different than the cultural change that must spread through an organization to embrace DevOps.
“Businesses choose to see their evolution through the lens of digital transformation; it’s their way of describing acceleration of value stream delivery to customers through translating more of the business to software. To remain relevant, security must keep up with the pace and scope of this change,” said John Steven, CTO at ZeroNorth. “This shift doesn’t occur overnight, and it’s good to know that everyone is headed towards the same destination – we just have to agree on who’s going to navigate or drive each journey segment. Organizations that figure out how to prioritize and orchestrate the many pieces of their vulnerability management are in the best position to eliminate one of security’s most costly causes of delay along the journey.”
The full report titled, “Rethinking Security for Digital Transformation,” can be downloaded at https://go.zeronorth.io/ZNResearchReport.The report is based on an online survey of 57 cybersecurity professionals across a variety of functions, including executive roles (i.e. CISO), audit/compliance, risk, development and operations. The survey was conducted between August 13-30, 2019.
For additional analysis on the survey results, register for ZeroNorth’s live webinar at 1pm ET on October 11 by visiting https://go.zeronorth.io/ZNResearchRptWebinar.
ZeroNorth is the first company to deliver risk-based vulnerability orchestration across applications and infrastructure. By orchestrating scanning tools across the entire software lifecycle, ZeroNorth provides a comprehensive and continuous view of risk and reduces costs associated with managing disparate technologies. ZeroNorth empowers customers to rapidly scale application and infrastructure security, while integrating seamlessly into developer environments to simplify and verify remediation. For more information, follow ZeroNorth on Twitter (@ZeroNorthSec) and LinkedIn, or visit www.zeronorth.io.