Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 部落格

訂閱

雲端安全:5 Key Takeaways from the SANS DevSecOps Survey

5 cloud security highlights from the “SANS 2022 DevSecOps Survey.”

A recent SANS Institute report finds that DevSecOps teams are improving their tooling, processes and techniques, but their organizations’ increasingly hybrid and multi-cloud IT environments are getting harder to secure. Check out key highlights from the “SANS 2022 DevSecOps Survey.”

Organizations continue to mature DevSecOps – the alignment of development, operations and security teams, tools and processes – but improving their security posture isn’t getting easier due to newer, more complex challenges.

That’s a key takeaway from the "SANS Institute’s SANS 2022 DevSecOps Survey,” based on a survey of 431 security leaders and practitioners worldwide.

In this blog, we highlight five insights from the report, which offers a deep dive on DevSecOps trends as well as concrete recommendations to keep DevSecOps efforts on the right track. We also provide insights on how Tenable can help.

At the root of many of the DevSecOps challenges highlighted in the SANS report is the increasingly hybrid, multi-cloud nature of organizations’ IT environments, where applications are “more than ever” being hosted on-premises and in multiple cloud platforms using virtual machines, containers and serverless functions.

“Such environments present security challenges because of the inherent differences among the various cloud service providers and the very different demands of on-premises hosting,” reads the 20-page report, which was sponsored by Tenable.

Five insights to bolster your DevSecOps strategy

SANS DevSecOps survey - 5 cloud security takeaways Source: SANS Institute, “SANS 2022 DevSecOps Survey,” September 2022

  1. When asked to list the top factors contributing to their DevSecOps success, respondents ranked the following:
    • Management buy-in
    • Improved communications among dev, sec and ops
    • Automated build / test/ deploy workflow
    • Integrated automatic security testing
    • Developer buy-in
  2. DevSecOps teams are underutilizing cloud security posture management (CSPM) software which can help secure at scale multi-cloud environments with a mix of VMs, containers and serverless. The report suggests organizations consider increasing their usage and adoption of CSPM products.
  3. CSPM and policy-as-code are helping organizations further automate the enforcement of their compliance policies at scale, with the share of respondents saying that 100% of their policies are automatically enforced jumping from 5.1% in 2021 to 18.4% this year.
  4. With DevSecOps teams releasing software to production more quickly and frequently — some daily and others even around the clock — they should make sure that all code is delivered via a CI/CD (continuous integration / continuous delivery) pipeline with built-in security tests.
  5. There’s been a general increase in security testing during the build and release cycle, with just one exception: the use of security plug-ins in integrated development environments (IDEs) is down from last year.

SANS DevSecOps survey - 5 cloud security takeaways

原文:SANS Institute, “SANS 2022 DevSecOps Survey,” September 2022

How can Tenable help put these insights to work for you?

Tenable offers software-as-a-service (SaaS) solutions and expertise, such as Tenable Cloud Security, a unified cloud security posture and vulnerability management solution that can be applied to support many of the SANS findings, no matter where you are in your journey:

  1. To improve management buy-in, and foster DevSecOps collaboration Tenable Cloud Security offers executives and DevSecOps practitioners integrated role-based dashboards that offer the targeted insights each needs to make better security decisions for their respective functions. For example, an overarching Cyber Exposure Score allows executives and cloud security architects to assess their organization's overall cloud security posture as compared to industry peers and justify investment decisions.
  2. To ease the pain of securing mixed-provider cloud environments, Tenable Cloud Security supports popular best practices like Center for Internet Security (CIS) benchmarks out-of-the-box and applies them consistently across cloud providers, and technologies — from virtual machines to cloud native architectures using infrastructure as code (IaC), containers, and Kubernetes. It also allows for the definition of custom policy-as-code to meet unique requirements.
  3. To enforce compliance at scale, Tenable Cloud Security enables compliance testing for critical regulatory frameworks, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and others across all runtime environments — dev, test, staging and production — and provides automated compliance reporting, drift detection and alerting when runtime configurations deviate from compliance.
  4. To ensure security tests are applied within CI/CD pipelines, Tenable Cloud Security integrates with popular CI/CD tools and applies an extensive knowledge base of 1,500 policies, and 72,000 vulnerabilities from Tenable Research, to identify misconfigurations in IaC and vulnerabilities in images and to provide automatic guardrails to notify or prevent deployment for severe violations.
  5. To drive greater automation across build and release workflows, Tenable Cloud Security provides additional testing options for DevSecOps teams, including testing of code by developers on their desktop, integration and testing of source code management repositories and the ability to create automated pull requests that include compliant code that developers can accept with just a click, or security teams can set for auto-remediation.

深入瞭解

相關文章

您可以使用的網路安全最新消息

輸入您的電子郵件,就不會錯過來自 Tenable 專家提供的及時警示與安全指引。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。

您的 Tenable Vulnerability Management 試用版軟體也包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

100 項資產

選取您的訂閱選項:

立即購買

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。

您的 Tenable Vulnerability Management 試用版軟體也包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

100 項資產

選取您的訂閱選項:

立即購買

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。

您的 Tenable Vulnerability Management 試用版軟體也包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

100 項資產

選取您的訂閱選項:

立即購買

試用 Tenable Web App Scanning

享受完整存取我們專為新型應用程式所設計、屬於 Tenable One 曝險管理平台一部分的最新 Web 應用程式掃描產品。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊。

您的 Tenable Web App Scanning 試用版軟體也包含 Tenable Vulnerability Management 和 Tenable Lumin。

購買 Tenable Web App Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

5 個 FQDN

$3,578

立即購買

試用 Tenable Lumin

利用 Tenable Lumin 視覺化並探索您的曝險管理、追蹤經過一段時間後風險降低的情形以及與同業進行指標分析。

您的 Tenable Lumin 試用版軟體也包含 Tenable Vulnerability Management 和 Tenable Web App Scanning。

購買 Tenable Lumin

聯絡業務代表,瞭解 Tenable Lumin 如何協助您取得您整個環境的深入解析和管理網路風險。

免費試用 Tenable Nessus Professional

免費試用 7 天

Tenable Nessus 是目前市場上最全方位的弱點掃描器。

最新 - Tenable Nessus Expert
現已上市

Nessus Expert 新增了更多功能,包括外部攻擊破綻掃描和新增網域及掃描雲端基礎架構的能力。按這裡試用 Nessus Expert。

請填妥以下表單以繼續 Nessus Pro 試用。

購買 Tenable Nessus Professional

Tenable Nessus 是目前市場上最全方位的弱點掃描器。Tenable Nessus Professional 可協助將弱點掃描流程自動化,節省您執行合規工作的時間並讓您與 IT 團隊合作。

購買多年期授權,節省更多。新增 365 天全年無休 24 小時全天候可使用電話、社群及對談的進階支援。

選擇您的授權

購買多年期授權,節省更多。

增加支援與訓練

免費試用 Tenable Nessus Expert

免費試用 7 天

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。

您已經有 Tenable Nessus Professional 了嗎?
升級至 Nessus Expert,免費試用 7 天。

購買 Tenable Nessus Expert

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。

選擇您的授權

購買多年期授權省更多!

增加支援與訓練