Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cloud Security: 5 Key Takeaways from the SANS DevSecOps Survey

5 cloud security highlights from the “SANS 2022 DevSecOps Survey.”

A recent SANS Institute report finds that DevSecOps teams are improving their tooling, processes and techniques, but their organizations’ increasingly hybrid and multi-cloud IT environments are getting harder to secure. Check out key highlights from the “SANS 2022 DevSecOps Survey.”

Organizations continue to mature DevSecOps – the alignment of development, operations and security teams, tools and processes – but improving their security posture isn’t getting easier due to newer, more complex challenges.

That’s a key takeaway from the SANS Institute’s “SANS 2022 DevSecOps Survey,” based on a survey of 431 security leaders and practitioners worldwide.

In this blog, we highlight five insights from the report, which offers a deep dive on DevSecOps trends as well as concrete recommendations to keep DevSecOps efforts on the right track. We also provide insights on how Tenable can help.

At the root of many of the DevSecOps challenges highlighted in the SANS report is the increasingly hybrid, multi-cloud nature of organizations’ IT environments, where applications are “more than ever” being hosted on-premises and in multiple cloud platforms using virtual machines, containers and serverless functions.

“Such environments present security challenges because of the inherent differences among the various cloud service providers and the very different demands of on-premises hosting,” reads the 20-page report, which was sponsored by Tenable.

Five insights to bolster your DevSecOps strategy

SANS DevSecOps survey - 5 cloud security takeaways Source: SANS Institute, “SANS 2022 DevSecOps Survey,” September 2022

  1. When asked to list the top factors contributing to their DevSecOps success, respondents ranked the following:
    • Management buy-in
    • Improved communications among dev, sec and ops
    • Automated build / test/ deploy workflow
    • Integrated automatic security testing
    • Developer buy-in
  2. DevSecOps teams are underutilizing cloud security posture management (CSPM) software which can help secure at scale multi-cloud environments with a mix of VMs, containers and serverless. The report suggests organizations consider increasing their usage and adoption of CSPM products.
  3. CSPM and policy-as-code are helping organizations further automate the enforcement of their compliance policies at scale, with the share of respondents saying that 100% of their policies are automatically enforced jumping from 5.1% in 2021 to 18.4% this year.
  4. With DevSecOps teams releasing software to production more quickly and frequently — some daily and others even around the clock — they should make sure that all code is delivered via a CI/CD (continuous integration / continuous delivery) pipeline with built-in security tests.
  5. There’s been a general increase in security testing during the build and release cycle, with just one exception: the use of security plug-ins in integrated development environments (IDEs) is down from last year.

SANS DevSecOps survey - 5 cloud security takeaways

 Source: SANS Institute, “SANS 2022 DevSecOps Survey,” September 2022

How can Tenable help put these insights to work for you?

Tenable offers software-as-a-service (SaaS) solutions and expertise, such as Tenable Cloud Security, a unified cloud security posture and vulnerability management solution that can be applied to support many of the SANS findings, no matter where you are in your journey:

  1. To improve management buy-in, and foster DevSecOps collaboration Tenable Cloud Security offers executives and DevSecOps practitioners integrated role-based dashboards that offer the targeted insights each needs to make better security decisions for their respective functions. For example, an overarching Cyber Exposure Score allows executives and cloud security architects to assess their organization's overall cloud security posture as compared to industry peers and justify investment decisions.
  2. To ease the pain of securing mixed-provider cloud environments, Tenable Cloud Security supports popular best practices like Center for Internet Security (CIS) benchmarks out-of-the-box and applies them consistently across cloud providers, and technologies — from virtual machines to cloud native architectures using infrastructure as code (IaC), containers, and Kubernetes. It also allows for the definition of custom policy-as-code to meet unique requirements.
  3. To enforce compliance at scale, Tenable Cloud Security enables compliance testing for critical regulatory frameworks, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and others across all runtime environments — dev, test, staging and production — and provides automated compliance reporting, drift detection and alerting when runtime configurations deviate from compliance.
  4. To ensure security tests are applied within CI/CD pipelines, Tenable Cloud Security integrates with popular CI/CD tools and applies an extensive knowledge base of 1,500 policies, and 72,000 vulnerabilities from Tenable Research, to identify misconfigurations in IaC and vulnerabilities in images and to provide automatic guardrails to notify or prevent deployment for severe violations.
  5. To drive greater automation across build and release workflows, Tenable Cloud Security provides additional testing options for DevSecOps teams, including testing of code by developers on their desktop, integration and testing of source code management repositories and the ability to create automated pull requests that include compliant code that developers can accept with just a click, or security teams can set for auto-remediation.

Learn more

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until February 28th.
Buy a multi-year license and save more.

Add Support and Training