Many organisations still seemingly bolt security on to the end of the development lifecycle from a team in another silo
The DevSecOps Realities and Opportunities study by 451 Research, commissioned by Synopsys, appears to suggest that many developers who are well aware of the importance of security in the DevOps process will proceed to ignore it anyway. Analysing responses from some 350 enterprise decision-makers at large enterprises from a wide range of industry sectors, the study found that software composition analysis (SCA) that identifies open source software components affected by known vulnerabilities is understood to be the most critical application security element to incorporate into the development workflow. Somewhat surprisingly, then, it also discovered that almost 40 percent of organisations don’t use SCA (or claim not to have any open source components.) The latter being more surprising still, given that a Black Duck Software report on open source security and risk analysis suggested at least 95 percent of applications do.