Secure DevOps: Fact or Fiction? SANS Survey Finds Enterprises Are Not Fixing Security Vulnerabilities

Bethesda, Md. – The new SANS survey, Secure DevOps: Fact or Fiction?, finds that fewer than half (46%) of respondents are confronting security risks up front in requirements and service design—and only half of respondents are fixing major vulnerabilities. Survey results will be released in webcasts November 8 and 9.

"Modern business, especially mobile and cloud computing, demands a rapid and agile approach to app development. Yet, security is being left behind, and its requirements are not being addressed early enough in the software design life cycle," said SANS Senior Analyst Barbara Filkins. "And protecting legacy apps is still a diversion," she added.

"While achieving DevOps is still aspirational for most organizations, secure DevOps is even more challenging," said SANS analyst and survey co-author Jim Bird. "What we found in our research is that while DevOps—and AppSec—programs focus on engineering, on finding better tools and on following better practices, the biggest challenges in secure DevOps are organizational, not technical. To succeed, secure DevOps needs every level of management, not just the CISO, to buy in."

The report notes that for secure DevOps, security teams can better collaborate and communicate, protect both legacy and emerging apps and plan resources to deal with evolving platforms.

Full survey results, along with actionable takeaways for security and risk management leaders, will be shared during a two-part webcast sponsored by Aqua Security, CA Veracode, Qualys, Rapid7, Signal Sciences, WhiteHat Security and hosted by SANS.

Register to attend the November 8 webcast at 1 p.m. EST at to learn how practitioners are handling evolving DevOps requirements and challenges, and the November 9 webcast at 1 p.m. EST at to learn about incorporating security into the software development lifecycle. Those who register will also receive access to the published results paper developed by Jim Bird and Barbara Filkins.

Tweet This:

SANS Secure DevOps Survey | Learn how organizations are integrating security into AppDev | Nov. 8 |

SANS Secure DevOps Survey | Organizations still fighting legacy and technical debt issues | Nov. 9 |

Organizations are integrating security into AppDev, but still fighting legacy and technical debt issues | Part 1, | Part 2,

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (