Study says only 50% of CI/CD workflows include security testing

Synopsys today released new data that highlights the opportunities and challenges of DevSecOps; an emerging paradigm in which DevOps teams incorporate application security into their continuous integration and continuous delivery (CI/CD) workflows.

The study found that only 50% of CI/CD workflows include application security testing elements despite respondents citing awareness of the importance and advantages of doing so.

DevOps teams today are working with large-scale infrastructures, releasing software faster, and doing so with significant code changes in each release.

Scaling application security testing

Furthermore, 63% of respondents say they expect to deploy software at least four times faster in a DevOps model. Without a clear and informed strategy, this can make establishing and scaling application security testing within these processes complex and difficult.

While organisations cited a lack of automation and consistency, reduced speed, and the noise of false positives as the primary challenges of DevSecOps, the survey also showed that the use of automated tools integrated early in the software development life cycle can have a positive impact on both the speed and the overall quality and security of software.

The survey revealed that software composition analysis (SCA), or the identification of open source software components affected by known vulnerabilities, is the most critical application security element that needs to be incorporated into CI/CD workflows.

DevOps challenges

Andreas Kuehlmann, General Manager of the Synopsys Software Integrity Group, commented: “DevSecOps presents an opportunity to make application security part of the cultural and technological fabric of modern, high-velocity development and deployment models.

“This study highlights many of the opportunities and challenges DevOps team face in adapting and applying application security tools and best practices. It also validates that automation, speed, accuracy, and CI/CD integration — attributes Synopsys has built into its application security solutions — are critical to making DevSecOps successful.”

The 451 Research report ‘DevSecOps Realities and Opportunities’, analysed survey results from 350 enterprise decision-makers at large enterprises across a variety of industries.

Written from press release by Leah Alger