9 of 10 security leaders believe companies should face consequences for releasing insecure software

Organisations plan to invest in DevSecOps in 2023, and the level of urgency for them to do so has grown. In a recent survey conducted by the Neustar International Security Council (NISC), 93 percent of participating information technology and security professionals reported that DevSecOps would be a significant budgeting priority in the coming year, with 55 percent emphasizing it would be a very significant priority with their organisation.

Additionally, 86 percent of respondents agree that the urgency to prioritise DevSecOps has increased within their organisation over the past 12 months. The top three factors driving this urgency were growing risk driven by accelerating digitisation of their business (60 percent), the proliferation of high-profile supply chain attacks across the industry (53 percent), and an increasingly complex and rigorous regulatory and compliance landscape marked by growing liability for their organisation should customers or partners be put at risk.

“DevSecOps has become a high priority for organisations as they look to better establish security as a central tenet through every phase of the software development lifecycle and ensure every release has security baked into the code,” said Carlos Morales, senior vice president of solutions at Neustar Security Services. “By making security a shared responsibility across development, operations and security teams, DevSecOps should help better position organisations to identify potential vulnerabilities early in the process – ideally before being put into production – and save them from much bigger headaches down the line.”

Application vulnerabilities can be costly, both in resources allocated to fix security gaps and in revenue should a breach result in lost business and confidence. Among NISC survey participants, 92 percent agreed — 40 percent strongly so — that companies should face consequences if their software is found to be unsound or insecure. Many favored government interventions, with approximately half (51 percent) saying government bodies should force the culprit to implement more rigorous security measures and adopt DevSecOps, while nearly four-in-ten (38 percent) felt government bodies should punish the offending company with sizable fines. A strong proportion of respondents were also in favor of recourse for impacted companies. 50 percent felt the liable party should foot the bill for all mitigation and remediation costs by impacted downstream organisations, while 44 percent said downstream companies or customers relying on the vulnerable software should be able to file suit for damages.  Moreover, 93 percent of organisations agree that federal mandates for software supply chain security controls are a good idea and should be implemented broadly, and more than one-third (36 percent) feel strongly about the prospect.

While more than nine in 10 organisations reside somewhere on the spectrum between building and fully implementing a formal DevSecOps strategy, only 13 percent of surveyed participants confirmed that their organisation has fully implemented their strategy. Almost one-third (29 percent) are in the process of implementing a strategy, while 15 percent are on the cusp of implementation and 35 percent are still in the process of building a formal strategy.

Various drivers are contributing to organisations’ adoption of DevSecOps. Nearly three quarters (72 percent) of respondents identified improving their ability to discover, profile and monitor a growing inventory of applications and APIs through automated processes as one of the three most important drivers of their adoption of DevSecOps. Other important drivers of adoption include the need for more thorough code monitoring to better detect vulnerabilities throughout development, testing and operations (64 percent), driving a more robust security-centric culture for the organisation (63 percent), and better compliance monitoring (62 percent).

Despite the growing importance of adopting DevSecOps, a range of factors are holding organisations back from doing so successfully. Chief among them is the shortage of security talent needed to implement the programme, as cited by 42 percent of respondents. Other factors detracting from efforts include the organisational culture (37 percent), tool incompatibility (36 percent), difficulty in finding a project champion or shared responsibility for the initiative (33 percent), and a lack of buy-in from senior leadership (29 percent).

In other security concerns, professionals during the reporting period of July and August 2022 remained focused on the potential for DDoS attacks, which were identified by 21 percent as their highest perceived threat. Similar to past survey periods, system compromise and ransomware followed as top concerns among 20 percent and 17 percent of respondents, respectively. Also similar to last period, ransomware was perceived to be an increasing threat among 75 percent of survey respondents, while generalised phishing jumped in visibility and was on the radar for 74 percent of participants. DDoS attacks, targeted hacking and social engineering via email closely followed, reported as increasing by 72 percent, 71 percent and 70 percent of surveyed professional, respectively.

DDoS attacks continue to be prevalent, and 86 percent of enterprises surveyed indicated that they have been on the receiving end of a DDoS attack at some point, a one-percentage-point increase over the previous survey period. The majority (56 percent) outsource their DDoS mitigation, and most (62 percent) indicated that mitigation of attacks typically occurred between 60 seconds and 5 minutes, consistent with previous survey findings.

The NISC survey was conducted in September 2022 and reflects respondents’ activity and concerns during July and August 2022. The survey enlisted feedback from senior information technology and security professionals from across six EMEA and U.S. markets.