-
Security best practices are much talked about, but less common than we might think, according to a top dog at Datadog
- Having a security plan is not enough, says an Avasant researcher
-
Java ranks high for critical and high-security vulnerabilities—but it’s not Java’s fault
Feeling overwhelmed by the security part of DevSecOps? You’re not alone, separate studies by Datadog and Avasant Research found.
Many organizations rely on manual deployment to the cloud, which is riskier than automation. Organizations also use long-lived credentials, which are a common cause of data breaches, according to Datadog’s State of DevSecOps 2024 study, released Wednesday afternoon.
DevSecOps teams that feel like they’re failing should take solace in that they’re not alone and should resolve to do better, Andrew Krug, Datadog head of security advocacy, told Fierce Network.
“Practices that we as an industry talk about constantly and that everybody believes are just common really aren’t as pervasive as we think they are,” Krug said.
“There’s almost a nihilistic aspect to DevSecOps," he said.
Krug added, “People think they can’t get there and that everybody else is already there. But you have to start somewhere. We hope the report encourages people to lean into DevSecOps behaviors.”
The study is based on telemetry from tens of thousands of applications and container images from thousands of customers. Among the key findings:
-
More than a third of organizations (38%) are running workloads on Amazon Web Services (AWS) deployed manually through the console in a production environment within a 14-day period. These organizations rely on risky click operations instead of automation, which is more secure.
-
And nearly two-thirds (63%) of organizations rely on long-lived credentials in their Continuous Integration/Continuous Delivery (CI/CD) pipelines, even when short-lived credentials would be more practical and secure.
Also: The study doesn’t make Java look great, but those findings are easy to misinterpret.
Java applications are hardest hit by third-party vulnerabilities, the report finds. Some 90% of Java services are susceptible to one or more critical or high-severity vulnerabilities introduced by a third-party library. That compares with an average of 47% for other programming languages, according to the report.
But the vulnerability rate is so high because Java is so commonly in use, Krug said. It’s a bigger target. Java itself is not more insecure than any other development environment.
A separate study confirms
Datadog’s findings on security preparedness aligns with other research from Avasant.
“I think it’s fair to say that some DevSecOps organizations are not implementing good security practices,” said David Wagner (no relation to your humble author), senior research director for Avasant Research.
Avasant examined the adoption of 35 major IT best practices in its IT Management Best Practices report. Eleven of these are security practices, and six of those rank in the “top 10 least mature best practices,” with maturity defined “as the percentage of organizations that have adopted a particular best practice formally and consistently,” Wagner said.
On the other hand, nine of those security practices are ranked in the top 10 most adopted enterprise IT best practices.
Disaster recovery is an example of a security practice. “To adopt the best practice you simply need the DR plan. To adopt formally and consistently, you need to test the plan, regularly update the plan, train new or promoted employees on the plan, and other tasks,” Wagner explained.
Enterprises aren’t routinely practicing security formally and consistently. “Some of the least mature best practices include multi-factor authentication, encryption and policies for personal device usage,” Wagner said.
He added: “Security is often seen as the job of the ‘security guys,’ but in reality strong IT organizations bake security into every role and every process. We’re seeing some good security in some areas and less good in others.
"The problem with security is that it is only as good as the weakest point. In a lot of cases, a breach of a less important system leads to a lateral movement into something more serious.”
Automation is the problem — and solution
Potential avenues for exploitation by malicious actors are opened by increased complexity in the software supply chain and proliferating automated code generation, facilitated by collaborative development platforms and co-piliots, said Chirag Mehta, VP and principal analyst at Constellation Research.
Organizations are “increasingly integrating security measures into their continuous integration/continuous deployment (CI/CD) pipelines” to address challenges, Mehta said.
“By incorporating code-scanning tools and automated security checks into the development workflow, they are ensuring the delivery of secure software while maintaining the agility and efficiency of their development processes," he concluded.