close search bar

Sorry, not available in this language yet

close language selection

Deep Dive: 2023 Global State of DevSecOps Report

Fred Bals

Oct 10, 2023 / 2 min read

Aimed at examining the strategies, tools, and practices impacting software security, the just-released “Global State of DevSecOps 2023” report from Synopsys, is based on a survey conducted by Censuswide polling more than 1,000 IT professionals across the world. The following is a deep dive into key report findings. 

According to the report, over 70% of the surveyed respondents said that automated scanning of code for vulnerabilities or coding flaws—static application security testing (SAST)—was a useful security measure. SAST was closely followed by interactive application security testing (IAST) with 69%, software composition analysis (SCA) with 68%, and dynamic application security testing (DAST) with 67%. 

When asked 'how do development, operations, and security teams really feel about the application security testing (AST) tools they use?', all but 3% of the 1,000 respondents—all of whom hold roles in application/software development with a focus on cybersecurity—had major issues with the application security tools (AST) they use. In fact, the respondents were pretty evenly split across the board about the issues with their tools. As seen in the graphic below, the highest issue is separated from the lowest by only a few percentage points. 

Challenges became even more apparent when respondents provided their answers to the query below

The respondents said that the AST tools they use do not prioritize resolution based on factors like exposure, exploitability, and criticality, are too slow to fit into continuous deployment release cycles, and are inaccurate and unreliable.

Differing priorities

In the report’s introduction, the authors note that the term “DevSecOps” embraces several different disciplines, many of which have unique personas. And that means when it comes to “business priorities,” the term can mean different things to different personas.

For example, business leaders prioritize the need to understand how effective their AppSec tools are, whereas development and operations teams prioritize a centralized view of all issues. And although those are separate priorities, both align with the issue, “No way to consolidate/correlate results from different tools.” Security teams want to cut through the noise to prioritize critical issues quickly, so they cite such issues as “Inaccuracy/unreliability” and “High number of false positives.”

Determining what to patch first

With no way to consolidate or correlate results from different security tests, security and DevOps teams spend too much time determining what needs to be fixed first. This is likely one of the reasons why nearly three-quarters of respondents note that their organizations can take anywhere from two weeks to a month to patch known critical vulnerabilities.

And failure to patch can quickly affect the bottom line. More than 80% of respondents said that dealing with critical vulnerabilities or related security issues of deployed software impacted their delivery schedules during 2022-23.

Learning from around the globe

With participants from the U.S., U.K., France, Finland, Germany, China, Singapore, and Japan represented, the report covers topics including DevSecOps adoption, leading security practices, the importance of cross-functional teams for success, successfully measuring a security program, and the promises and pitfalls that AI might bring to DevSecOps. For organizations struggling to gain cohesion across myriad security tools while keeping pace with business demands, the Synopsys 2023 DevSecOps report is a must-read.

Report

Global State of DevSecOps 2023

Uncover the strategies, practices, and tools that make up an effective DevSecOps program

Download the report

Continue Reading

Top 4 software development methodologies

Top 4 software development methodologies

Mike McGuire
By Mike McGuire

Mar 24, 2024 / 5 min read

Tags: Agile, CI/CD, Software Integrity, Build Security into DevOps, DevSecOps
The Synopsys integrated DevSecOps playbook: Steps for successful DevSecOps

The Synopsys integrated DevSecOps playbook: Steps for successful DevSecOps

Steven Zimmerman
By Steven Zimmerman

Mar 04, 2024 / 4 min read

Tags: Software Integrity, Build Security into DevOps, DevSecOps
The cybersecurity landscape - A discussion of future state and AI with Dr. Lisa Bradley

The cybersecurity landscape - A discussion of future state and AI with Dr. Lisa Bradley

By Sammy Migues

Feb 21, 2024 / 1 min read

Tags: Artificial Intelligence, Software Integrity, Build Security into DevOps, DevSecOps
DevSecOps best practices

DevSecOps best practices

Steven Zimmerman
By Steven Zimmerman

Feb 13, 2024 / 2 min read

Tags: Software Integrity, Build Security into DevOps, DevSecOps
AppSec Decoded: How to implement security in DevOps

AppSec Decoded: How to implement security in DevOps

Steven Zimmerman
By Steven Zimmerman

Feb 07, 2024 / 2 min read

Tags: Software Integrity, Build Security into DevOps, DevSecOps
AppSec Decoded:Tips for reaching DevSecOps maturity

AppSec Decoded:Tips for reaching DevSecOps maturity

Taylor Armerding
By Taylor Armerding

Jan 29, 2024 / 2 min read

Tags: Software Integrity, DevSecOps

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security