Security leaders want consequences for insecure code

Organizations plan to invest in DevSecOps in 2023, and the level of urgency for them to do so has grown. In a recent survey conducted by the Neustar International Security Council (NISC), 93% of participating information technology and security professionals reported that DevSecOps would be a significant budgeting priority in the coming year, with 55% emphasizing it would be a very significant priority with their organization.

Additionally, 86% of respondents agree that the urgency to prioritize DevSecOps has increased within their organization over the past 12 months. The top three factors driving this urgency were growing risk driven by accelerating digitization of their business (60%), the proliferation of high-profile supply chain attacks across the industry (53%), and an increasingly complex and rigorous regulatory and compliance landscape marked by growing liability for their organization should customers or partners be put at risk.

“DevSecOps has become a high priority for organizations as they look to better establish security as a central tenet through every phase of the software development lifecycle and ensure every release has security baked into the code,” said Carlos Morales, SVP of solutions at Neustar Security Services.

“By making security a shared responsibility across development, operations and security teams, DevSecOps should help better position organizations to identify potential vulnerabilities early in the process – ideally before being put into production – and save them from much bigger headaches down the line.”

Facing consequences for insecure software

Application vulnerabilities can be costly, both in resources allocated to fix security gaps and in revenue should a breach result in lost business and confidence. Among NISC survey participants, 92% agreed — 40% strongly so — that companies should face consequences if their software is found to be unsound or insecure.

Many favored government interventions, with 51% saying government bodies should force the culprit to implement more rigorous security measures and adopt DevSecOps, while 38% felt government bodies should punish the offending company with sizable fines. A strong proportion of respondents were also in favor of recourse for impacted companies.

50% felt the liable party should foot the bill for all mitigation and remediation costs by impacted downstream organizations, while 44% said downstream companies or customers relying on the vulnerable software should be able to file suit for damages. Moreover, 93% of organizations agree that federal mandates for software supply chain security controls are a good idea and should be implemented broadly, and more than one-third (36%) feel strongly about the prospect.

Plans to invest in DevSecOps in 2023

While more than nine in 10 organizations reside somewhere on the spectrum between building and fully implementing a formal DevSecOps strategy, only 13% of surveyed participants confirmed that their organization has fully implemented their strategy. 29% are in the process of implementing a strategy, while 15% are on the cusp of implementation and 35% are still in the process of building a formal strategy.

Various drivers are contributing to organizations’ adoption of DevSecOps. 72% of respondents identified improving their ability to discover, profile and monitor a growing inventory of applications and APIs through automated processes as one of the three most important drivers of their adoption of DevSecOps. Other important drivers of adoption include the need for more thorough code monitoring to better detect vulnerabilities throughout development, testing and operations (64%), driving a more robust security-centric culture for the organization (63%), and better compliance monitoring (62%).

Despite the growing importance of adopting DevSecOps, a range of factors are holding organizations back from doing so successfully. Chief among them is the shortage of security talent needed to implement the program, as cited by 42% of respondents. Other factors detracting from efforts include the organizational culture (37%), tool incompatibility (36%), difficulty in finding a project champion or shared responsibility for the initiative (33%), and a lack of buy-in from senior leadership (29%).

Top cybersecurity concerns

In other security concerns, professionals during the reporting period of July and August 2022 remained focused on the potential for DDoS attacks, which were identified by 21% as their highest perceived threat. Similar to past survey periods, system compromise and ransomware followed as top concerns among 20% and 17% of respondents, respectively.

Also similar to last period, ransomware was perceived to be an increasing threat among 75% of survey respondents, while generalized phishing jumped in visibility and was on the radar for 74% of participants. DDoS attacks, targeted hacking and social engineering via email closely followed, reported as increasing by 72%, 71% and 70% of surveyed professional, respectively.

DDoS attacks continue to be prevalent, and 86% of enterprises surveyed indicated that they have been on the receiving end of a DDoS attack at some point, a one-percentage-point increase over the previous survey period. 56% outsource their DDoS mitigation, and 62% indicated that mitigation of attacks typically occurred between 60 seconds and 5 minutes, consistent with previous survey findings.

The NISC survey was conducted in September 2022 and reflects respondents’ activity and concerns during July and August 2022. The survey enlisted feedback from senior information technology and security professionals from across six EMEA and U.S. markets.