News in the Channel - issue #11

NEWS

Most organisations report DevOps delays due to critical security issues

More than 80% of IT professionals indicated that a critical security issue in deployed software impacted their DevOps delivery schedule in the last year, new research has found. The research was published in Synopsys Inc’s Global State of DevSecOps 2023 report, from the Synopsys Cybersecurity Research Center, which examines the strategies, tools and practices impacting software security. The report is based on a survey conducted by Censuswide polling more than 1,000 IT professionals across the world – including developers, application security professionals, DevOps engineers and CISOs, as well as experts in technology, cybersecurity and software development. Implementing DevSecOps, a framework focused on embedding security testing throughout each phase of the software development life cycle, is an established way to reduce the volume of critical vulnerabilities and exploitable security issues in production applications. “While [91%] of organisations have adopted some level of DevSecOps practices, they continue to face barriers effectively implementing its methods, especially at enterprise scale,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “Specifically, we’re noticing that organisations across the globe are struggling with integrating and prioritising the results from the multiple application security testing tools used by their teams. They also struggle to enforce security and compliance policies automatically through infrastructure-as- code, a practice that was cited most often by respondents as a key factor of their security

program’s overall success.” Key findings from the report include: l 52% of survey respondents noted that they are using AI to enhance their organisation’s software security measures. However, 76% are ‘very or somewhat concerned’ about potential errors or issues with AI-based cybersecurity solutions l 28% of respondents said their organisations take as long as three weeks to patch critical security risks/ vulnerabilities in deployed applications. Another 20% said it can take up to a month, even as most exploits appear within days l When asked to gauge the usefulness of security tools and practices – including dynamic application security testing (DAST), interactive application security testing (IAST), static application security testing, and software composition analysis (SCA) – each tool included in the survey was regarded as useful by at least two-thirds of respondents. The report identifies SAST as the highest-regarded AST tool, with 72% indicating that they find it useful, followed by IAST (69%), SCA (68%) and DAST (67%)

Jason Schmitt general manager

synopsys.com

download

l Software developers and engineers (45%) are just as likely to be tasked

with performing security tests on their organisation’s business-critical applications and continuous improvement pipelines as internal security team members (46%). Meanwhile 33% of organisations are also enlisting external consultants to supplement the efforts of internal teams.

AI training and policies amiss at UK and Irish businesses

While the use of AI tools in the workplace is rapidly increasing, many organisations are lagging in providing guidance and training in the use of these technologies, according to new research by Ricoh Europe. This governance gap comes amid growing interest within companies to implement automation solutions. The poll of 1,000 workers across the UK and Ireland, conducted by Opinium, revealed

a gap between workers' use of emerging technologies and organisations' efforts to support and manage that usage. The research found that 33% of employees use AI tools such as Chat GPT, with 10% of these using it once or more a day. However, the adoption of AI is outpacing employers’ implementation of formal policies and procedures. Only 12% have offered training on how to utilise AI tools. Without proper