DevSecOps and Misconfigurations: Key Facts to Know

Secure DevOps, DevSecOps, and “shifting left” have become increasingly popular terms in cybersecurity. With the rapid increase both in volume and speed to delivery of applications, attacks on applications have also increased in both volume and complexity. Combine this with the shortage of cybersecurity professionals and lacking security skillsets, cybersecurity teams are already stretched to their limits. This has given rise to a DevSecOps approach. However, DevSecOps isn’t a silver bullet - organizations still face misconfigurations and other security challenges, struggle with implementing a DevSecOps approach, and have insufficient security skillsets.

Our Secure DevOps and Misconfigurations Survey found these 4 key findings:

Key Finding 1: Most organizations are moving toward a DevSecOps approach

There are clear indications that organizations are moving toward a DevSecOps approach. The first indication is the increase in the variety of cloud workloads including containers and serverless that is expected over the next year. The increased use of these types of workloads indicates that there is a trend toward DevSecOps.

The second indication is that nearly 90% of organizations are in some phase of the journey toward DevSecOps. Just under half of the organizations are either implementing or refining their DevSecOps approach. Of those who haven’t yet reached the implementation phase, 48% expect to reach the implementation phase within a year. All of these indicate an explicit trend toward the use of a DevSecOps approach.

Key Finding 2: A third of misconfigurations are blamed on flawed or lack of internal guidance

Although there is a movement toward DevSecOps, misconfigurations still occur. On average, organizations are moderately confident in their ability to defend against misconfigurations. This is encouraging, but still leaves room for improvement. The primary reason cited for these misconfigurations was flawed or lacking internal guidance (33%). This indicates that the guidance organizations are developing internally is ineffective for preventing misconfigurations.

The use of other guidance such as industry frameworks could help organizations deal with this issue.

Key Finding 3: Organizations are struggling with IAM and PAM projects

Items ranked by confidence to defend against them

Despite misconfigurations repeatedly being rated as a top concern year after year, organizations are moderately confident with their ability to defend against them. What organizations are least confident about are issues of privilege access management and identity, authorization, and access challenges. In a previous survey, privilege and permission management was rated as a top IAM security challenge for organizations. This could speak to the complexity of implementing native cloud service provider solutions, third-party solutions, in-house solutions, or some combination. All often require a multi-year effort from organizations to properly implement.

Key Finding 4: Online articles and training are the top ways security professionals learn more about cloud security, tools, and vendors

Resources used to learn more about cloud security, tools, and vendors

Cloud security is a fast-moving industry with a shortage of experts. Keeping up with the latest best practices and trends often requires security professionals to seek out knowledge. The most common method to learn more about cloud security, tools, and vendors was through online articles or labs (81%) and training or workshops (80%). Conferences or industry events were also common (69%). Social media and entertainment platforms are used much less frequently despite their overall popularity. This indicates that security professionals still have a preference for traditional methods of learning.

Learn more about these findings in the Secure DevOps and Misconfigurations Survey Report.