SANS Survey Finds Only 29% of Orgs Have Automated Most of Their Security Testing

IT workloads are increasingly moving to the cloud, changing the way organizations develop and deliver software. Deploying and running production systems is now separate from the hardware and network, infrastructure is defined through code, and operations are now part of cloud service APIs.
What does this mean for security?
Security professionals need to be able to read and write code.
They need to build security tests into the continuous integration/continuous delivery pipelines (CI)/(CD).
They need to understand the different cloud architectures and platforms.
Security tests need to be conducted at a fast pace that won’t impact the speed of software deployments.
Ideally … security needs to become code.
But how are we doing on this quest to the future state of security? SANS Institute examined 281 global organizations to find out what security teams need to understand about software development to meet the demand of high-velocity software deliveries, the skills they need to catch vulnerabilities early, and the impact that cloud architectures and platforms have on this effort.
Cloud Platforming
For starters, the survey found that 97 percent of organizations use a public cloud provider. But these organizations aren’t sticking to just one cloud provider. Over 57 percent of organizations use three or more cloud platforms. Since every cloud platform is different in terms of configuration models, APIs, and services, using multiple can present operational and security challenges. Ideally, organizations need to leverage cloud-agnostic tools – like Terraform – to configure and provision services across multiple cloud platforms using the same toolset and language. Better yet, organizations should be automating cloud configuration through code and platform APIs.
Velocity of Delivery and Security Testing
With the transition to the cloud and DevOps practices, organizations have been able to deploy new software faster than ever. In fact, the velocity of software delivery has been increased by 14 percent over the past five years alone. But security scans have been lagging behind, causing many organizations to release vulnerable software to production. The survey found that, in most instances, security scans are delayed because organizations are using manual testing instead of automated testing. Only 29 percent of organizations have automated 75 percent or more of their security testing, and fewer tha

[…]

Content was cut in order to protect the source.Please visit the source for the rest of the article.