Gartner: Software businesses must adopt DevSecOps before it becomes mainstream
Integration will ultimately help organisations reduce friction between security and development, research firm says
Software businesses must make DevSecOps and software composition analysis a priority before they become mainstream, research firm Gartner has concluded.
In its Hype Cycle 2022 report, Gartner said DevSecOps and Software Composition Analysis (SCA) will see mainstream adoption in less than two years, listing them as a ‘transformational’ innovations – the highest in its ranking system.
These transformational innovations are described as having a “significant impact on an organization’s business models” and will drive a need for new strategies and tactics.
By integrating security into the development process, businesses can eliminate or reduce friction between security and development and, ultimately, achieve a secure software development lifecycle (SDLC).
The research firm said the drivers include the adoption of DevOps and its need for security and compliance testing that can keep up with the pace of development, as well as its earlier application into the lifecycle compared with traditional application security testing (AST) tools.
Testing results also need to be integrated into the development process in a manner that complements developers’ existing workflows and toolsets, while the use of open source has significantly increased the risk of inadvertent use of vulnerable components and frameworks by developers.
AI powered automation helping your business assure app performanceFree Download
However, Gartner also noted several key obstacles, including developers believing security testing tools are slowing them down, not understanding the vulnerabilities their coding creates, as well as them not wanting to leave their continuous integration/continuous delivery (CI/CD) pipeline to perform tests or view results.
Static application testing (SAST) and dynamic application security testing (DAST)tools have also been hindered by false positives or vague information which frustrates developers, Gartner added. In contrast, diversity of tools used in modern CI/CD pipeline “will complicate the seamless integration of DevSecOps offerings”.
To counter these, Gartner recommends several tactics, including preparing teams for automated integration, “shifting left” to make security testing tools available earlier in development, and favouring offerings that can link scanning in development to correct configuration, visibility and protection runtime.
Similarly, SCA tools will help ensure the software supply chain can be trusted, identify known vulnerabilities, ensure components are properly licensed, while supporting the use of OSS in app development.
According to Gartner, SCA should be considered a “foundational element of application security testing” to identify known vulnerabilities and supply chain risks in open source packages.
Big data for finance
How to leverage big data analytics and AI in the finance sectorFree Download
Ten critical factors for cloud analytics success
Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROIFree Download
Remove barriers and reconnect with your customers
The $260 billion dollar friction problem businesses don't know they haveFree Download
The future of work is already here. Now’s the time to secure it.
Robust security to protect and enable your businessFree Download