DevSecOps Report – Proactively prevent vulnerabilities
Web security or security-aware software development should no longer be a luxury. That’s why terms like DevOps or DevSecOps have become an integral part of our industry. In other words, agile software development that is focused on security is one of the most important approaches to modern development. Or is it?
What does GitLab’s DevSecOps Report 2021 have to say about this?
In it are some very interesting findings for the importance of security in software development:
- 99% of applications contain at least 4 vulnerabilities, 80% even have more than 20.
- More than 90% of participants say that security scans run for more than 3 hours, with about a third running for more than 8 hours.
- For more than two-thirds of participants, it takes more than 4 hours to fix a vulnerability.
These numbers show two things:
- All applications contain vulnerabilities, although automated tests are already used to prevent them.
- It is quite costly to fix vulnerabilities.
In addition, the report shows that a large percentage of companies have already been victims of successful attacks:
- More than 70% have lost critical data.
- Two-thirds have experienced operational disruptions and
- More than 60% have seen negative impacts to their brand.
Based on these serious impacts, we might assume that security is becoming a higher priority. However, nearly 80% of DevOps teams reported just the opposite, saying they were under pressure to shorten release cycles. As a result, more than 50% of organizations reported sometimes skipping security scans to meet deadlines.
Preventing cyber-attacks and IT vulnerabilities
These results show that companies are in a dilemma: meeting deadlines or repercussions from successful cyber-attacks against themselves or their products. The simple solution to this would be to simply value security over new features. But nothing is simple when you constantly must innovate to succeed in today’s fast-paced world. Another solution to the dilemma is to equip development teams with the knowledge and tools to prevent security vulnerabilities from the start, when the code is first written. There are several ways to do this.
Continuing education in any form to proactively improve IT security.
There are a variety of different offerings in the area of in-person training: Training courses, eLearning, micro-learning, self-study, competitions, etc. Each of these forms of learning has a right to exist, as everyone has different preferences and strengths when it comes to learning. In addition, the different forms of learning have advantages with different levels of prior knowledge. Often a combination is very helpful. For example, in a classic training course, the basics can first be learned, which are then internalized through micro-learning or a competition. The important thing is to bring the training to the developers and not the other way round.
- Classical training courses have, among other things, the advantages that they impart knowledge in a short period of time without distractions and that individual questions and requirements can be addressed. A disadvantage is that they often do not take place directly.
- eLearning offers the freedom to work on the learning content at one’s own pace, even in between. However, this often leads to the problem that continuing with lessons can easily be lost in the daily work routine alongside other tasks.
- The situation is similar with micro-learning, in which learning content is broken down into small modules and ideally integrated into the daily work routine in a context-related manner. An example of this is the Secure Code Warrior plugin for SCM-Manager (see below). The contextual integration of learning content has the advantage that the learning units are not in competition with other tasks because they are integrated into the tasks.
- In self-study there is no fixed curriculum. This has the advantage that developers only acquire exactly the knowledge they really need. The disadvantage is, that all content must be researched independently.
- At first glance, competitions are only suitable for deepening existing knowledge. However, they also offer the opportunity to gain new knowledge by working on problems that are new and have to be solved in a creative way.
Micro-learning: improving safety through continuous and contextual learning
Contextual learning offers the opportunity to closely integrate practice and theory to improve learning outcomes. For this purpose, suitable learning content, e.g. in the form of micro-learning, is displayed during the processing of tasks. An example of this is the integration of videos and tasks on security vulnerabilities in the code review process in SCM-Manager.
Through such integrations, learning content is provided exactly when team members are working on tasks with potential security vulnerabilities. An example of this is the Secure Code Warrior plugin for SCM-Manager mentioned earlier.
GitLab’s DevSecOps Report 2021 shows that software security, while perceived as an important issue, is prioritized lower than the development of new features in many organizations. This prioritization is unlikely to change much in the future. Therefore, it is necessary to change from a reactive to a proactive approach in order to meet the security requirements while keeping release cycles short. This can be achieved through different types of training.