SANS DevSecOps report: 5 key takeaways

SANS has released the results of its annual DevSecOps survey, which reveals important shifts in how organizations are approaching application security testing.

While the "shift left" mentality may be less pervasive, the survey found that shifting all the way left to upfront software risk assessments are now seen as the most useful technique for building secure applications. The report also highlights a greater reliance on third parties for compliance reviews and security testing, increased adoption of software composition analysis (SCA) — and a recognition that communication and culture are key to DevSecOps success.

As application security threats continue to evolve, the study, which was sponsored by Synopsys and surveyed 363 professionals representing a diverse set of roles, industries and organizations, provides valuable insights into current trends and best practices organizations are following to integrate security into rapid software development cycles.

Here are five key takeaways from the SANS Institute's 2023 DevSecOps Survey.

See Special Report: The Evolution of Application Security

1. 'Shift left' is less pervasive

The survey's report, written by Ben Allen and Chris Edmundson, noted that security testing is down in 2023 compared to the last two years. The emphasis on security testing prior to coding — architecture/design and requirements/use cases — that was seen in 2022 has dropped sharply this year, to 46% from 55%. And testing while coding via integrated development environment (IDE) plug-ins declined, too, to 37.6% from 39%.

While the “shift security left” mentality is less pervasive among this year’s respondents, the report said that's because application security is shifting to threat modeling before code is written.

2. Upfront risk assessments found to be most useful

The survey participants said one of the most useful techniques in their arsenal to create secure applications is upfront risk assessment before development starts. Despite the value placed on the technique, though, 9% fewer organizations appear to be deploying it this year compared to 2022. Nevertheless, the technique's ranking in usefulness among survey participants soared. Last year, it was ranked ninth in usefulness, while in 2023 it was ranked number one, with 85.4% of surveyed pros rating the technique "useful (49.5%)," or "very useful (35.9%)."

Another group of security practices that seem to have gained usefulness over the last year are threat modeling, attack surface analysis, and architecture/design reviews. Ranked 11th in 2022, the practices climbed to fifth this year, with 80.3% of survey participants finding the practices "useful (52.7%)," or "very useful (27.6%)."

Upward movement in these two categories epitomizes shifting security left, toward work that can be done before a single line of code is even written.

Other tools and practices appear to have lost some usefulness over the last 12 months. Web Application Firewalls, for example, dropped 12 places in the rankings, from first to 13, with 73% of survey respondents finding the tool "useful (41.9%)" or "very useful (31.1%)." Internal penetration testing also lost ground during the period, falling 11 places from 6th to 17th, with 69.9% of participants rating the practice "useful (45.1%)" or "very useful (24.8%)."

This reinforces the perception among those surveyed that early intervention is critical to success.

3. With third-party compliance, external support is growing

Despite fewer survey respondents from the heavily regulated banking and finance industries, third-party compliance or audits jumped 10 places in the usefulness rankings, from 17 to seven, with 76.9% of participants finding the practice "useful (55.6%)," or "very useful (21.3%)."

Leaning on external talent and resources to perform security tasks is growing among organizations, the survey discovered. When asked who performed security testing in their organizations, the use of external consultants and cloud-based testing platforms showed increases over last year, with 44% of organizations using external consultants, compared to 33% in 2022, and 38.6% using cloud platforms, compared to 22.6% last year. At the same time, the use of internal security teams to do testing declined to 52% from 68.6%.

DevSecOps teams are increasingly looking to third parties to supplement their application security testing programs to lighten the testing load on internal teams, said Ben Hutchinson, an associate principal consultant with the Synopsys Software Integrity Group (SIG). "Many industries, organizations, and markets have been forced to react to global economic challenges over the past year. Our findings, perhaps, also illustrate that organizations may be reacting to these pressures to reduce internal overheads by turning to trusted partners to help solve cross-domain and platform challenges, and also looking to find efficiencies with their external testing providers, existing security platform and technology provider."

Hutchinson said that also translated into more comprehensive testing practices.

Refreshingly, in some areas, we're starting to see a more balanced outlook integrating a range of application security testing approaches to optimize protection for the important applications that run our society. It's a notable improvement, and one we should celebrate. But with a rapidly evolving threat landscape and at-risk software supply chain, it's essential to keep our foot on the gas.

Ben Hutchinson

4. DevSecOps teams are adopting modern tools

The survey also revealed broad use of static application security testing (SAST) and software composition analysis (SCA) tools. It noted that SAST usage was reported by over 85% of respondents, with 79% of respondents using SAST to cover at least 25% of their code.

There was also a notable increase in SCA testing this year. Almost half of the participants (45.2%) noted that 50% or more of their code was subject to SCA testing. That's nearly 20% more than 2022, when only 25.6% told surveyors that 50% or more of their code base was reviewed with SCA.

The report recommended that before testing how an application behaves when running, it’s crucial that organizations assess their supply chains, especially for containerized workloads. Scanning container images, analyzing the collection of third-party components used to build an application, and analyzing custom code with SAST tools all contribute to clearly understanding which risks are present in an application before it ever executes, it added.

5. AI is used cautiously by DevSecOps teams

Artificial intelligence (AI) took the tech world by storm, so it's not surprising that teams are embracing it for DevSecOps. This survey found a 16% increase in the use of AI automation and other potential improvements to their DevSecOps from 2022 to 2023 — up from 33% to 49%.

However, nearly a third of respondents (about 30%) reported not using AI or data science capabilities, which indicated caution, most likely around intellectual property concerns.

Jamie Boote, an Associate Principal Consultant of the Synopsys Software Integrity Group, said AI and ML technologies are now ready for adoption by large enterprises.

Early adopter companies are interested in seeing how they can take advantage of this powerful new software without suffering the pain that bleeding edge companies felt when sharing secrets or using AI-generated IP. These companies are looking to adopt AI and ML engines from providers like Microsoft and OpenAI, and they are also looking for guard rails to keep them safe. They are also seeking to leverage enterprise agreement — like those built by cloud hosts to ensure that client secrets are kept safe from re-use — and they're also looking to see that those secrets are kept safe from potential cybersecurity breaches, too.

Jamie Boote

DevSecOps: It takes a team

Any successful DevSecOps program requires a strong focus on communication and culture to break down organizational silos, the report said.

As the DevSecOps journey progresses, it continued, agreeing on the "why" by getting buy-in, understanding the "what" through training, and implementing the "how" by integrating tools into processes may be temporary top priorities, but communication must not be neglected.

Synopsys SIG DevSecOps Practice Lead Satish Swargam said that when not implemented correctly, a DevSecOps program often does more harm than good and can ultimately cause an organization’s application security program to fail.

A successful DevSecOps practice, on the other hand, will first focus on rolling out continuous automated security testing as well as fostering a harmonious culture between DevOps, security, and leadership teams. It’s no surprise to see that these continue to be the leading factors of a well-rounded and mature DevSecOps program because when implemented correctly, DevSecOps empowers organizations to build a secure agile software development lifecycle, and improve its overall security posture.

Satish Swargam