Skip to main content
September 14, 2020

43% of Orgs Think DevOps Integration Is Critical to AppSec Success

It’s no secret that the rapid speed of modern software development means an increased likelihood of risky flaws and vulnerabilities in your code. Developers are working fast to hit tight deadlines and create innovative applications, but without the right security solutions integrated into your processes, it’s easy to hit security roadblocks or let flaws slip through the cracks.

We recently dug through the ESG survey reportModern Application Development Security, which uncovers some interesting data about the state of DevOps integration in the modern software development process. As the report states, DevOps integration is critical for improving your organization’s application security (AppSec) program, as automating and integrating solutions removes some of the manual work that can slow teams down and moves security testing into critical parts of the development process.

“DevOps integration reduces friction and shifts security further left, helping organizations identify security issues sooner,” the report says. “While developer education and improved tools and processes will no doubt also improve programs, automation is central to modern application development practices.”

Level of DevOps and AppSec Integration

According to the survey results, nearly half of organizations agree; 43 percent believe that DevOps integration is the most important piece of the puzzle for improving their AppSec programs. The report also outlines 10 elements of the most successful AppSec programs, and topping that list is ensuring that your AppSec controls are highly integrated into the CI/CD toolchain.

Integration challenges

For some survey respondents, that’s easier said than done. Nearly a quarter (23 percent) said that one of their top challenges with current AppSec testing solutions is that they have poor integration with existing development and DevOps tools, while 26 percent said they experience difficulty with – or lack of – integration between different AppSec vendor tools.

AppSec tool proliferation is a problem too, with a sizeable 72 percent of organizations using more than 10 tools to test the security of their code. “Many organizations are employing so many tools that they are struggling to integrate and manage them. This all too often results in a reduction in the effectiveness of the program and directs an inordinate amount of resources to managing tools,” they explain further.

So where should organizations like yours start? By selecting a vendor with a comprehensive offering of security solutions that integrate to help you cover those bases and consolidate solutions while reducing complexity. That’s where Veracode shines. We bring the security tests and training tools you need together into one suite so that you can consolidate and keep innovating – securely. And your organization can scale at a lower cost, too: our range of integrations and Veracode solutions are delivered through the cloud for less downtime and more efficiency.

Simplifying AppSec

We aim to simplify your AppSec program by combining five key analysis types in one solution, all integrated into your development process. From “my code,” to “our code,” to “production code,” we have you covered with Static Analysis (SAST), Dynamic Analysis (DAST), Software Composition Analysis (SCA), Interactive AppSec Testing (IAST), and Manual Penetration Testing (MPT).

My Code, Our Code, Production Code

Automating SAST, DAST, and SCA in the pipeline means that you can incorporate testing without needing to wait for your security team to step in, fixing flaws the moment you spot them to keep projects moving forward quickly. In fact, by building and integrating security testing into their CI/CD pipeline, we know that some development teams have reduced their median time to remediation (MTTR) by a whopping 90 percent, driving down risk and freeing up valuable time.

Want to learn more about integrating AppSec into the development process? Check out this short demo video of Veracode Static Analysis.

 

Meaghan McBee is a Senior Content Marketing Manager at Veracode, responsible for creating content around best practices in application security and the current state of DevSecOps.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.