13 Mar 2023

DevSecOps is a vital strategy with automated security included in every phase of software development.

Implementing DevSecOps means application and infrastructure security becomes a shared responsibility amongst the development, operations, and security teams which maximises protection at every level of the organisation. 

Investing in DevSecOps strategies

According to a recent report conducted by the Neustar International Security Council (NISC), an elite group of cybersecurity professionals across government agencies and companies, organisations plan to invest heavily in DevSecOps strategies this year and the level of urgency for them to do so has grown significantly, given the increase in cyber threats and high-profile supply chain attacks.

93 percent of organisations confirmed that they are focusing on DevSecOps this year, with 86 percent agreeing that it became a ‘business priority’ in 2022.

The evolving threat landscape

60% of organisations increased digitisation as a contributing factor to adopting DevSecOps strategies

The threat landscape has evolved significantly over the past few years, with new threats and attack vectors emerging, leading to a growing awareness of DevSecOps and the benefits it can bring. For example, the pandemic forced a shift to cloud-based delivery models or multi-cloud environments with remote or hybrid capabilities to cope with the ‘new normal’, expanding the attack surface.

Cyber extortionists are exploiting this, adopting more complex attack methods to bypass organisations defences. According to NISC’s findings, 60 percent of organisations listed increased digitisation as a contributing factor in their rush to adopt DevSecOps strategies.

Ransomware

Ransomware also continues to be a dominant threat as highlighted in the National Cyber Security Centre (NCSC), part of (GCHQ)’s annual review which reported 18 ransomware attacks in the UK in 2022 and earned a national-level response. 

75 percent of leaders listed ransomware as a growing threat to their organisations, followed closely by DDoS attacks, targeted hacking, and social engineering via email which is also increasing.

Addressing cyber risks 

Attacks have increased in sophistication, volume, and severity and are having disastrous consequences for businesses and governments alike. In fact, ransomware poses a serious risk to our critical national infrastructure (CNI) and this has been acknowledged by leaders and governments around the world.

The European Commission recently proposed new rules that aim to incorporate efficient cyber and information security measures across EU institutions, bodies, offices, and agencies.

Prioritising DevSecOps for 2023

Organisations need to optimise security measures by adopting an ‘always on’ approach to cybersecurity

Cyberattacks have evolved and become more ubiquitous, which has led to this focus on DevSecOps. Indeed, supply chain attacks were listed as a main driver behind DevSecOps strategies for the majority of businesses (53 percent). 

The Sunburst attack on SolarWinds revealed how the supply chain can increase the attack surface and leave organisations and partners exposed, enabling threat actors to bypass a company’s security defences. Moving forwards, organisations need to optimise security measures by adopting a more proactive strategy or an ‘always on’ approach to cybersecurity. 

Protection and prevention efforts

That being said, while DevSecOps is being prioritised, only 13 percent of the organisation have fully implemented a clear strategy. In fact, NISC found that most organisations (42 percent) feel that the lack of security talent is preventing them from adopting a formal strategy. 

Security teams should be maximising their protection and prevention efforts, going beyond software updates and bug fixes.

Multi-layered defences

Multi-layered defences such as regular backups, reliable updating, and updating software and systems are vital in efficient cybersecurity measures but with the ever-evolving threat landscape, early detection is critical now more than ever.

Realistically, organisations need to start adopting a range of effective prevention and mitigation measures to stay ahead of the more sophisticated attack methods, and this is where DevSecOps proves vital.

Establishing a more proactive cybersecurity strategy 

DevSecOps is far more than simply automating tasks, and conducting regular resting and security audits

Given the increased sophistication and volume of threats such as ransomware, DDoS attacks, and supply chain attacks, DevSecOps is proving essential in day-to-day business. This year, leaders need to scale up their DevSecOps programmes and include them within their internal security, and establish a culture of best practices, to ensure this strategy is effective.

DevSecOps is far more than simply automating tasks, and conducting regular resting and security audits. It requires clear and efficient communication between the development, security, and IT teams as well as educating these teams on the shift and benefits of establishing a clear DevSecOps strategy.

Compliance and security practices

This year, companies need to make cybersecurity and DevSecOps a business priority. Security needs to be an integral part of company culture and a core capability of the product development process. This means having a dedicated in-house security team and embedding compliance and security practices within their developer tools. 

Only then, will organisations be thoroughly prepared for any given event and establish themselves in a stronger position in this constantly evolving and dangerous threat landscape.