Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 部落格


雲端安全:5 Key Takeaways from the SANS DevSecOps Survey

5 cloud security highlights from the “SANS 2022 DevSecOps Survey.”

A recent SANS Institute report finds that DevSecOps teams are improving their tooling, processes and techniques, but their organizations’ increasingly hybrid and multi-cloud IT environments are getting harder to secure. Check out key highlights from the “SANS 2022 DevSecOps Survey.”

Organizations continue to mature DevSecOps – the alignment of development, operations and security teams, tools and processes – but improving their security posture isn’t getting easier due to newer, more complex challenges.

That’s a key takeaway from the SANS Institute’s “SANS 2022 DevSecOps Survey,” based on a survey of 431 security leaders and practitioners worldwide.

In this blog, we highlight five insights from the report, which offers a deep dive on DevSecOps trends as well as concrete recommendations to keep DevSecOps efforts on the right track. We also provide insights on how Tenable can help.

At the root of many of the DevSecOps challenges highlighted in the SANS report is the increasingly hybrid, multi-cloud nature of organizations’ IT environments, where applications are “more than ever” being hosted on-premises and in multiple cloud platforms using virtual machines, containers and serverless functions.

“Such environments present security challenges because of the inherent differences among the various cloud service providers and the very different demands of on-premises hosting,” reads the 20-page report, which was sponsored by Tenable.

Five insights to bolster your DevSecOps strategy

SANS DevSecOps survey - 5 cloud security takeaways Source: SANS Institute, “SANS 2022 DevSecOps Survey,” September 2022

  1. When asked to list the top factors contributing to their DevSecOps success, respondents ranked the following:
    • Management buy-in
    • Improved communications among dev, sec and ops
    • Automated build / test/ deploy workflow
    • Integrated automatic security testing
    • Developer buy-in
  2. DevSecOps teams are underutilizing cloud security posture management (CSPM) software which can help secure at scale multi-cloud environments with a mix of VMs, containers and serverless. The report suggests organizations consider increasing their usage and adoption of CSPM products.
  3. CSPM and policy-as-code are helping organizations further automate the enforcement of their compliance policies at scale, with the share of respondents saying that 100% of their policies are automatically enforced jumping from 5.1% in 2021 to 18.4% this year.
  4. With DevSecOps teams releasing software to production more quickly and frequently — some daily and others even around the clock — they should make sure that all code is delivered via a CI/CD (continuous integration / continuous delivery) pipeline with built-in security tests.
  5. There’s been a general increase in security testing during the build and release cycle, with just one exception: the use of security plug-ins in integrated development environments (IDEs) is down from last year.

SANS DevSecOps survey - 5 cloud security takeaways

原文:SANS Institute, “SANS 2022 DevSecOps Survey,” September 2022

How can Tenable help put these insights to work for you?

Tenable offers software-as-a-service (SaaS) solutions and expertise, such as Tenable Cloud Security, a unified cloud security posture and vulnerability management solution that can be applied to support many of the SANS findings, no matter where you are in your journey:

  1. To improve management buy-in, and foster DevSecOps collaboration Tenable Cloud Security offers executives and DevSecOps practitioners integrated role-based dashboards that offer the targeted insights each needs to make better security decisions for their respective functions. For example, an overarching Cyber Exposure Score allows executives and cloud security architects to assess their organization's overall cloud security posture as compared to industry peers and justify investment decisions.
  2. To ease the pain of securing mixed-provider cloud environments, Tenable Cloud Security supports popular best practices like Center for Internet Security (CIS) benchmarks out-of-the-box and applies them consistently across cloud providers, and technologies — from virtual machines to cloud native architectures using infrastructure as code (IaC), containers, and Kubernetes. It also allows for the definition of custom policy-as-code to meet unique requirements.
  3. To enforce compliance at scale, Tenable Cloud Security enables compliance testing for critical regulatory frameworks, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and others across all runtime environments — dev, test, staging and production — and provides automated compliance reporting, drift detection and alerting when runtime configurations deviate from compliance.
  4. To ensure security tests are applied within CI/CD pipelines, Tenable Cloud Security integrates with popular CI/CD tools and applies an extensive knowledge base of 1,500 policies, and 72,000 vulnerabilities from Tenable Research, to identify misconfigurations in IaC and vulnerabilities in images and to provide automatic guardrails to notify or prevent deployment for severe violations.
  5. To drive greater automation across build and release workflows, Tenable Cloud Security provides additional testing options for DevSecOps teams, including testing of code by developers on their desktop, integration and testing of source code management repositories and the ability to create automated pull requests that include compliant code that developers can accept with just a click, or security teams can set for auto-remediation.




輸入您的電子郵件地址,以便收到最新 cyber exposure 警示。



您的 Tenable.io Vulnerability Management 試用版也包含 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

tenable.io 購買

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 項資產



免費試用 Nessus Professional

免費試用 7 天

Nessus® 是現今市場上功能最全面的弱點掃描工具。

最新 - Nessus Expert 現已上市

Nessus Expert 新增了更多功能,包括外部攻擊破綻掃描和新增網域及掃描雲端基礎架構的能力。按這裡試用 Nessus Expert。

請填妥以下表單以繼續 Nessus Professional 試用。

購買 Nessus Professional

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買多年期授權,節省更多。新增 365 天全年無休 24 小時全天候可使用電話、社群及對談的進階支援。






您的 Tenable.io Vulnerability Management 試用版也包含 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

Tenable.io 購買

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 項資產



試用 Tenable.io Web Application Scanning

享受我們專為現代應用程式而設計,屬於 Tenable.io 平台一部分的最新 Web 應用程式掃描產品的所有功能。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊。

您的 Tenable Web Application Scanning 試用版也包含 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.cs Cloud Security。

購買 Tenable.io Web Application Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

5 個 FQDN



試用 Tenable Lumin

透過 Tenable Lumin,能夠以視覺方式呈現 Cyber Exposure 並加以探索,長期追蹤風險降低狀況,以及對照同業進行指標分析。

您的 Tenable Lumin 試用版也包含 Tenable.io Vulnerability Management、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

購買 Tenable Lumin

聯絡業務代表,瞭解 Lumin 如何協助您獲得整個企業的深入洞見,並管理網路風險。

試用 Tenable.cs


您的 Tenable.cs Cloud Security 試用版也包含 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.io Web Application Scanning。

聯絡業務代表購買 Tenable.cs

聯絡業務代表,以深入瞭解 Tenable.cs Cloud Security 如何輕鬆讓您的雲端帳戶上線,以及如何在數分鐘內輕鬆取得雲端錯誤設定與弱點的能見度。

免費試用 Nessus Expert

免費試用 7 天

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。

您已擁有 Nessus Professional 嗎?
升級至 Nessus Expert,免費試用 7 天。

購買 Nessus Expert

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。