Organizations agree, building security into digital transformation initiatives is a priority, yet the recommended path to progress is unclear, according to a survey conducted by ZeroNorth.
Companies of all sizes and in all industries are experiencing the pains of digital transformation, with 79% of survey respondents indicating their organization already has related initiatives underway.
All participants indicate the importance of digital transformation to the future of their organization, even those who have not yet embarked on a program. Further, identifying bugs, flaws and vulnerabilities throughout the software development lifecycle (SDLC) is considered “extremely” (58%) or “very” (42%) important to all participants.
Successful approach to digital transformation
While digital transformation and security are clearly important, it appears there is no well-defined approach or best practice to ensure software security as digital transformation speeds up the development process. Many respondents rely on security scanning and testing tools to manage software risk; however, deployments remain wildly inconsistent. For example:
Organizations rely on a wide range of scanning tools: 63% use six or more, with 9% reporting the use of over 30 tools.
Few tools are used enterprise-wide. Network and vulnerability scanning are the most broadly employed but just barely surpass usage across 50% of all organizations. Vulnerability scanning is used by 51% of organizations, while network scanning comes in at 53%.
Professionals don’t have a full picture about what tools are used in their organization. Beyond network and vulnerability scanning, respondents were asked about 10 other tool categories, and the lack of related knowledge is striking. For example, 25% do not know if their organization is using interactive application security testing (IAST), while 19% don’t know if they are using software composition analysis (SCA) or cloud middleware.
There’s no clear agreement on where to focus scanning within the SDLC. Build/CI environments receive the most focus with 68% of organizations scanning there, while integrated development environments (IDEs) get the least attention, as cited by 46% of respondents. Source code repositories, container/artifact management and deployment all fall somewhere in between. In short, there’s no definitive area where organizations agree focus is needed.
Ownership of scans is uncertain. There’s slight agreement that source code and IDEs should be owned by development teams—and container/artifact management and deployment should be owned by security—but even in these categories, only 40-50% of respondents agree. Overall, ownership between application security, development and security operations teams remains inconsistent.
Open source software
The use of Open Source Software (OSS) testing and scanning tools is another area where organizations exhibit inconsistent approaches. Most respondents (84%) believe open source tools are equally or more effective than commercial tools. However, when asked about initiatives that are planned or underway as part of their organization’s digital transformation, participants agree OSS receives the least amount of focus, with projects underway at only 47% of organizations.
Cloud migration emerged as the most mature initiative, underway at 80% of respondent organizations, followed by DevOps (67%), CI/CD (62%) and microservices (62%). This result illustrates how not all aspects of digital transformation move at the same pace. This is somewhat expected, as cloud services are relatively simple to pay for and begin using. This shift is much different than the cultural change that must spread through an organization to embrace DevOps.
“Businesses choose to see their evolution through the lens of digital transformation; it’s their way of describing acceleration of value stream delivery to customers through translating more of the business to software. To remain relevant, security must keep up with the pace and scope of this change,” said John Steven, CTO at ZeroNorth. “This shift doesn’t occur overnight, and it’s good to know that everyone is headed towards the same destination – we just have to agree on who’s going to navigate or drive each journey segment. Organizations that figure out how to prioritize and orchestrate the many pieces of their vulnerability management are in the best position to eliminate one of security’s most costly causes of delay along the journey.”