ITWeb, in collaboration with Accenture and Micro Focus, conducted an online DevOps survey during September 2020. The survey sought to uncover how companies were approaching integrated application security across the lifecycle of development projects. It captured
input from 216 respondents, representing a wide range of organisations of all sizes.When asked how they approached threat modelling, 39% of respondents indicated that all applications went through threat modelling, and attack vectors were addressed during implementation. However, 16% of participants said they only do threat modelling for critical applications.
Clive Brindley, cyber defence lead at Accenture, says this points to a prioritisation imperative. “With limited budgets
and resources, organisations must consider the ‘crown jewels’ and ensure vital business applications and services are considered as priority, and deploy a considered approach to understanding what threats exist and how to mitigate them via secure coding and operating practices.”Respondents were asked whether their team had the coding skills to build security protection into frameworks and templates in ways that are safe and easy to use. Only 10% of respondents confidently state they use a standardised framework with reusable components . Further, only 16% have a security framework and standardised approach for developers to leverage when building secure code. Brindley says, “We need to ask ourselves how we can infuse security practices into the early stages of project initiation, throughout development and into production. How do we change the current status quo to protect our applications?”
Only 30% of respondents state there is collaboration between security and developer teams throughout the software development lifecycle, and only a quarter state they collaborate as needed. “Getting developers and security experts collaborating early on and throughout the development and production lifecycle is critical to ensure appropriate defences are baked into the application, and where needed, compensating controls are considered for areas that cannot be mitigated in full.”
Just under half of respondents have little or no self-service automated continuous integration to provide security testing. Only 16% have full automation across all phases of the project.
“Results demonstrate that we have a way to go to ensure repeatable, predictable and rigorous testing for security defects across CI/CD pipeline," comments Brindley.
Nearly half of the respondents (46%) believe enterprise compliance standards are well defined in their team, and team members understand them and are able to implement
them. Brindley says, “Understanding the required regulatory, internal compliance requirements for secure code and system/service development is crucial, as it provides risk leaders with a view of the compliance to critical security requirements that have been met or where non-compliance is elevating risk beyond tolerance levels.”We need to ask ourselves how we can infuse security practices into the early stages of project initiation, throughout development and into production.
Clive Brindley, Accenture.
In addition, 28% said app development projects followed internally defined metrics; while 26% have industry standard metrics with tool-based governance with business intelligence applied in projects. “These measures are useful in showing software quality in terms of security and risk mitigation outcomes.”
Approximately 50% of respondents have a fragmented approach to security monitoring across the application lifecycle. “This talks to monitoring application/service/system health throughout the development, implementation and operation of the application," says Brindley. "We need to ask ourselves ‘how do we get secure and how do we stay secure?’."
Nearly one in four respondents (23%) say code is scanned automatically on a daily basis, with IDE (Integrated Development Environment) plug-in integrated, while 21% perform scans in silos upon request for releases.
“Scanning for code is a critical step in the layered ‘defence in depth’ approach, coupled with threat modelling, compiled application tests, penetration tests, with production monitoring and even threat hunting to support specific and more complex attack scenarios,” Brindley explains.
Only 60% of respondents perform scans for open source components and associated vulnerabilities. “With the re-use of source code components, libraries and more, it is critical to understand if ‘non-inhouse’ code is providing a bigger attack surface.”
Almost 50% of respondents execute scans across all code elements, including scripts, infrastructure as code, shared libraries and the like. Brindley says, “While checking application code is critical, supporting elements must be considered when minimising attack surface or threats across attack surface. Deploying services as part of IaC (Infrastructure as Code) also requires close scrutiny due to the myriad of options to infuse untested and vulnerable services as part of an application or service bundle.”
When asked how feedback is provided to developers on issues found in scans, 26% said that scan reports are sent to developers directly with no automation in the process, while only 9% of respondents said no feedback was provided to developers.