In today’s fast-paced and increasingly automated world of software development, integrating security into the DevOps process for businesses is now an essential aspect of managing software risk and keeping up with business demands. This approach, known as DevSecOps, embeds security as an integral part of the software development life cycle (SDLC), ensuring that security issues are identified and addressed early on.
According to Synopsys’ “Global State of DevSecOps 2023″ report, 91% of organizations globally have adopted some level of DevSecOps practices. However, despite the widespread adoption of DevSecOps, many businesses are still facing challenges when integrating security tooling and practices into their DevOps pipelines. In this article, we dive into the key highlights from the report, unveiling the security concerns and challenges of Singapore businesses.
Challenges in Implementing DevSecOps
In Singapore, the top 3 challenges highlighted by the local experts include inadequate security training for developers and engineers (35.2%), followed by a shortage of application security personnel/skills (32.8%), and the continuous change of requirements and priorities (32.8%). Other challenges include a lack of coding skills in security teams (29.69%) and in the transparency into development and operations work (28%), organizational silos between development, operations, and security teams (22.4%), and insufficient budget and funding for security programs and tools (21.6%).
Moreover, the report highlights that many Singaporean organizations face challenges with their application security testing tools, including lagging speeds that do not align with their rapid release cycles (40%), high false-positive rates (36%), inaccuracy and unreliability (32%), and difficulty in consolidating and prioritizing results (22.4%).
The State of Security Initiatives
A significant 10.4% admitted that their security initiatives are somewhat unstructured and disorganized.
Only a tiny percentage of businesses (1.6%) have reached Level V maturity, where security processes are continuously analyzed and improved. The majority (88%) have documented and repeatable security processes for specific teams, standardized processes and procedures across the organization, and a security culture endorsed and communicated by leadership.
It is interesting to note that almost half (47.6%) of Singaporean organizations rely on a combination of manual and automated assessments to test the security of their business-critical applications. This hybrid approach underscores the belief that organizations recognize the value of both automated and manual assessments in their business-critical applications. Meanwhile, almost an equal number (45.6%) engage external penetration testers to evaluate their defenses.
CIO Influence DevSecOps News: Global DevSecOps Report on AI Shows Cybersecurity and Privacy Concerns Create an Adoption Dilemma
The most common frequency for testing is once per week (19.2%) or once every two months (18.4%).
Surprisingly, only a tiny fraction (2.4%) perform application security testing every day.
Timely Responses to Vulnerabilities
Addressing vulnerabilities promptly is crucial to minimize damages.
A significant 80.8% of Singapore businesses acknowledged the considerable impact a critical security vulnerability can have on their software delivery schedules. When questioned about remediation timelines, 28% revealed that it typically took their organizations up to three weeks to patch vulnerabilities in deployed applications. Even worse, an alarming 8% stated that their resolution of the vulnerability could stretch to 6 months.
Defining Responsibility for Security Testing
The report also revealed mixed opinions on the responsibility for security testing. The responses were essentially divided among Singaporean businesses. Nearly half (46.4%) feel that internal security teams should be responsible. On the flip side, 44% of the respondents indicated that the practice should be handled by developers and/or software engineers. Some suggest that the responsibility lies with the application quality (AQ) test teams, cross-functional DevSecOps teams, and external consultants. This diversity of perspectives highlights the need for clear guidelines and collaboration between different teams to ensure effective security testing practices.
The Importance of AI Tools in Security Solutions
The survey also checked in on enterprises’ adoption of AI tools for security testing. 57.28% of Singaporean experts believe that AI tools can greatly improve the efficiency and accuracy of security measures. 42.72% also agree that it can reduce the need for manual review and analysis of security data. However, a whopping 82.52% of Singaporeans are concerned about the potential bias/errors in AI-based security solutions. 47.57% believe it can increase the complexity and technical requirements of software security. Despite these concerns, 47.2% of companies are already actively using AI tools in their software security measures.
The Synopsys Global State of DevSecOps 2023 report provides a glimpse into the challenges and opportunities that lie ahead for Singapore businesses. As organizations grapple with various challenges—from skill shortages to operational nuances—the role of cutting-edge technologies like Generative AI offers both promise and caution.
Ultimately, the path forward requires a harmonious blend of human expertise, technological advancements, and strategic collaborations.
Embracing these elements will be key for businesses to remain resilient and proactive in an ever-changing digital landscape.