You are here

The state of application security: DevOps, testing inspire confidence

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Freelance writer

Companies continue to have a paradoxical relationship with security: More than half of business decision makers—52%—have increased concerns about application security, but 64% still have considerable confidence in their current security efforts, according to a recent study conducted by BizTechInsights for Micro Focus.

Based on a survey of 538 business and technology decision makers, The State of Application Security in the Enterprise report also found that companies felt they had an average maturity level in their security operations.

The greater confidence in the face of more serious security concerns is likely the result of an increasing security maturity, said Brent Jenkins, an evangelist on Micro Focus' Fortify application security team.

"One of the downsides to having a more robust security program is that you find more potential vulnerabilities. The things that, once, you did not even notice, you are now noticing."
Brent Jenkins

The disparity also extends to visibility into the threat landscape. Despite their confidence, nearly three-quarters of business decision makers said they have seen more security threats in the past year. It is not clear from the data, however, whether attackers are increasing their assaults on these companies or if the companies are improving their security efforts so much that they are detecting more incidents.

Companies often report more vulnerabilities and incidents after increasing security resources and efforts, said Dan Kennedy, research director for information security at 451 Research.

"You are never really sure whether they are just seeing more attempts to compromise their networks or if there really are more attacks. Awareness has certainly gotten better."
Dan Kennedy

How is your organization's application security fitness? Here are the key takeaways from the report.

Gartner Magic Quadrant for Application Security Testing 2019

Security maturity delivers confidence

More companies are moving toward an agile development and deployment methodology, the survey found. With 64% of businesses implementing DevOps, most organizations have put a premium on improving their speed. Yet, at the same time, companies are testing more often, with 58% testing their software at every stage of the development lifecycle—or even more frequently.

The adoption of DevOps is likely a main reason for the increase in testing, since automated tests and continuous integration and deployment go hand in hand, Kennedy said. Security testing is better when it is integrated into the software development lifecycle.

"Where DevOps comes into play, it has done two things. It has standardized the build and communication tools for developers. You are starting to see more Jira and more Slack. And you see more build tools. So the app-sec vendors are now able to plug into these new tools."
—Dan Kennedy

The survey results match the DevSecOps Community Survey released in April, which found that only one quarter of companies thought they had mature DevOps practices, while about half are improving their maturity. In that survey, 57% of companies that have mature DevOps practices conduct testing through the development process.

Security is a journey

Overall, however, companies still feel they have a long way to go. More than 70% are at least somewhat concerned with the security of the applications that their organization released, despite the majority of firms—51%—believing that at least three-quarters of their applications are covered by their security testing.

"Companies often have an optimistic outlook on their coverage. In reality, most don't know whether they have a particular program covered, or they just think they do."
—Brent Jenkins

[ Get Report: How to Get the Most From Your Application Security Testing Budget ]

Are we there yet?

As the number of threats reported by companies grows, organizations have focused more on security, and application security is an important element of that program. About one in three companies had or suspected they had a breach due to a web application vulnerability, the survey found. For organizations embarking on DevOps, much of their security testing can be integrated into the development lifecycle, along with compliance checks and quality control.

Overall, companies are on the right track, said Kennedy.

“They are spending more on security, doing more, and the posture is better. It’s natural that they continue to worry about advances in tactics and attacks.”

[ Webinar: How to Fit Security Into Your Software Lifecycle With Automation and Integration ]