Immerse yourself in hands-on cyber security training at SANS Santa Monica 2019! Save $350 thru 8/28.

SANS Security Insights

Secure DevOps: Fact or Fiction? 2018 SANS Survey Finds Enterprises Are Not Fixing Security Vulnerabilities

Legacy Apps Remain Focus Even as Cloud Apps Grow; Patching Remains Issue

A new (Nov. 2018) SANS survey, Secure DevOps: Fact or Fiction?, finds that fewer than half (46%) of respondents are confronting security risks up front in requirements and service design?and only half of respondents are fixing major vulnerabilities. SANS released the survey data and a related paper Nov. 8 -

Among many other key findings, the survey results include:

  • A surprising number of organizations are already deploying serverless apps. This should be a concern for security teams, because security risks in serverless environments are not widely understood, and recognized serverless security guidelines are yet to be developed.
  • Containers are still an emerging technology. Only 24% of respondents have 26% or more applications in containers with most still at 1% to 5%. But, as we shall see, the use is growing.
  • The majority of respondents (43%) have 26% or more of their apps in the cloud.

SANS Senior Analyst and survey co-author Barbara Filkins notes, "Modern business, especially mobile and cloud computing, demands a rapid and agile approach to app development. Yet, security is being left behind, and its requirements are not being addressed early enough in the software design life cycle."

Survey data also found that protecting legacy apps is still a diversion from dealing with newer threats.

"While achieving DevOps is still aspirational for most organizations, secure DevOps is even more challenging," said SANS analyst and survey co-author Jim Bird. "What we found in our research is that while DevOps?and AppSec?programs focus on engineering, on finding better tools and on following better practices, the biggest challenges in secure DevOps are organizational, not technical."

The report notes that for secure DevOps, security teams can better collaborate and communicate, protect both legacy and emerging apps and plan resources to deal with evolving platforms.

Learn more here by viewing the webcast and downloading the paper:

A special thanks to the survey sponsors:

Whitehat SecurityCA Technologies Veracodelogo-375x200 Signal Sciences rapid7 Aqua Security

Post a Comment


* Indicates a required field.