Today, the Enterprise Strategy Group (ESG) released “Walking the Line: GitOps and Shift Left Security,” a multiclient developer security research report examining the current state of application security. Offering both surprising and expected conclusions, the report's key finding was the prevalence of software supply chain risks in cloud-native applications.
Jason Schmitt, general manager of the Synopsys Software Integrity Group, echoed this finding. “As organizations are witnessing the level of potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines, the prioritization of a proactive security strategy is now a foundational business imperative," he said. “While managing open source risk is a critical component of managing software supply chain risk in cloud-native applications, we must also recognize that the risk extends beyond open source components. Infrastructure-as-code, containers, APIs, code repositories—the list goes on and on and must all be accounted for to ensure a holistic approach to software supply chain security.”
The survey had several key goals.
The survey included 350 participants across North America and Canada, with 30% of respondents identifying as IT team members, 40% as cybersecurity professionals, and 30% as application developers with decision-making power. Participants hailed from multiple industry verticals, including financial, manufacturing, retail/wholesale, technology, and more.
The report found that organizations are realizing the supply chain is more than just dependencies. It’s development tools/pipelines, repos, APIs, infrastructure-as-code (IaC), containers, cloud configurations, and more.
While open source software may be the original supply chain concern, the shift toward cloud-native application development has organizations concerned about the risks posed to additional nodes of their supply chain. In fact, 73% of organizations reported that they have “significantly increased” their software supply chain security efforts in response to recent supply chain attacks.
Respondents cited the adoption of some form of strong multifactor authentication technology (33%), investment in application security testing controls (32%), and improved asset discovery to update their organization’s attack surface inventory (30%) as key security initiatives they are pursuing in response to supply chain attacks.
Forty-five percent of respondents cited APIs as the area most susceptible to attack in their organization today. Data storage repositories were considered most at risk by 42%, and application container images were identified as most susceptible by 34%.
The survey points out that a lack of open source management is threatening SBOM compilation.
The survey found that 99% of organizations either use or plan to use open source software within the next 12 months. While they have many concerns regarding the maintenance, security, and trustworthiness of these open source projects, their most cited concern relates to the scale at which open source is being leveraged within application development. Ninety-one percent of organizations using open source believe their organization’s code is – or will be - composed of up to 75% open source. Fifty-four percent of respondents cited “having a high percentage of application code that is open source” as concern or challenge with open source software. In our own studies, we’ve found a correlation between the scale of open source software (OSS) usage and the presence of related risk.
As the scale of OSS usage increases, its presence in applications will naturally increase as well. Pressure to improve software supply chain risk management has placed a spotlight on software Bill of Materials (SBOM) compilation. With exploding OSS usage and lackluster OSS management, SBOM compilation becomes a complex task—something that 39% of survey respondents in the ESG study marked as a challenge of using OSS.
Walking the Line: GitOps and Shift Left Security, August 2022.
OSS risk management is a priority, but organizations lack a clear delineation of responsibilities.
The survey points toward the reality that while the focus on open source patching following recent events (such as the Log4Shell and Spring4Shell vulnerabilities) has resulted in a significant increase in OSS risk mitigation activities (the 73% we mentioned above), the party responsible for these mitigation efforts remains unclear.
A clear majority of DevOps teams view OSS management as part of the developer role, while most IT teams view it as a security team responsibility. This may well explain why organizations have long struggled to properly patch OSS. The survey found that IT teams are more concerned than security teams (48% vs. 34%) about the source of OSS code, which is a reflection on the role IT has in properly maintaining OSS vulnerability patches.. Muddying the waters even further, IT and DevOps respondents (at 49% and 40%) view the identification of vulnerabilities before deployment as the security team’s responsibility.
IaC is helping organizations meet cloud-native development demands, but struggles to scale security are hindering adoption.
As development and deployment velocity demands continue to increase, tasks like configuration and provisioning of the infrastructure for cloud-native applications have been shifting left to developers—something traditionally done by IT/Ops. To help simplify and scale this process, organizations and developers leverage IaC; 96% are either using it already or plan to within the next 12 months.
However, this can lead to security concerns. While IT/Ops may be somewhat versed in security best practices, that’s less true of development teams. 83% of respondents are experiencing an increase in IaC misconfigurations. This leads to issues like unauthorized access to apps and data, the introduction of cryptojacking malware to mine cryptocurrency, and fines due to noncompliance with industry regulations.
Walking the Line: GitOps and Shift Left Security, August 2022.
The survey found that the majority of DevOps respondents (50%) reported successful attacks on APIs occurring over the last year, with compromised cloud service account credentials, misconfigured cloud services, and exploits of known issues in internal code coming in not far behind (41%, 36%, and 44%).
Developer enablement is growing, but lack of security expertise is problematic.
A popular term in DevOps, “shifting left” means moving security efforts earlier and more often in the development life cycle. This has been a key driver of pushing security responsibilities to the developer. This shift has not been without challenges; while 68% of respondents named developer enablement as a high priority in their organization, only 34% of security respondents actually feel confident with development teams taking on responsibility for security testing.
Concerns like overburdening development teams with additional tooling and responsibilities, disrupting innovation and velocity, and obtaining oversight into security efforts seem to be the biggest obstacles to developer-led AppSec efforts. A majority of security and AppDev/DevOps respondents (at 65%, 60%) have policies in place allowing developers to test and fix their code without interaction with security teams, while 63% of IT respondents said their organization has policies requiring developers to involve security teams.
The value of enabling developers to become members of the security team seems to be felt by the majority of respondents, but it’s also clear that the necessity of keeping traditional security teams heavily involved has not significantly waned.
A secure supply chain means securing everything from your code, to your dependencies, containers, and more. You can read more in our Supply Chain Solution Guide, or visit our website.