Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 博客

订阅

云安全:5 Key Takeaways from the SANS DevSecOps Survey

5 cloud security highlights from the “SANS 2022 DevSecOps Survey.”

A recent SANS Institute report finds that DevSecOps teams are improving their tooling, processes and techniques, but their organizations’ increasingly hybrid and multi-cloud IT environments are getting harder to secure. Check out key highlights from the “SANS 2022 DevSecOps Survey.”

Organizations continue to mature DevSecOps – the alignment of development, operations and security teams, tools and processes – but improving their security posture isn’t getting easier due to newer, more complex challenges.

That’s a key takeaway from the SANS Institute’s “SANS 2022 DevSecOps Survey,” based on a survey of 431 security leaders and practitioners worldwide.

In this blog, we highlight five insights from the report, which offers a deep dive on DevSecOps trends as well as concrete recommendations to keep DevSecOps efforts on the right track. We also provide insights on how Tenable can help.

At the root of many of the DevSecOps challenges highlighted in the SANS report is the increasingly hybrid, multi-cloud nature of organizations’ IT environments, where applications are “more than ever” being hosted on-premises and in multiple cloud platforms using virtual machines, containers and serverless functions.

“Such environments present security challenges because of the inherent differences among the various cloud service providers and the very different demands of on-premises hosting,” reads the 20-page report, which was sponsored by Tenable.

Five insights to bolster your DevSecOps strategy

SANS DevSecOps survey - 5 cloud security takeaways Source: SANS Institute, “SANS 2022 DevSecOps Survey,” September 2022

  1. When asked to list the top factors contributing to their DevSecOps success, respondents ranked the following:
    • Management buy-in
    • Improved communications among dev, sec and ops
    • Automated build / test/ deploy workflow
    • Integrated automatic security testing
    • Developer buy-in
  2. DevSecOps teams are underutilizing cloud security posture management (CSPM) software which can help secure at scale multi-cloud environments with a mix of VMs, containers and serverless. The report suggests organizations consider increasing their usage and adoption of CSPM products.
  3. CSPM and policy-as-code are helping organizations further automate the enforcement of their compliance policies at scale, with the share of respondents saying that 100% of their policies are automatically enforced jumping from 5.1% in 2021 to 18.4% this year.
  4. With DevSecOps teams releasing software to production more quickly and frequently — some daily and others even around the clock — they should make sure that all code is delivered via a CI/CD (continuous integration / continuous delivery) pipeline with built-in security tests.
  5. There’s been a general increase in security testing during the build and release cycle, with just one exception: the use of security plug-ins in integrated development environments (IDEs) is down from last year.

SANS DevSecOps survey - 5 cloud security takeaways

原文:SANS Institute, “SANS 2022 DevSecOps Survey,” September 2022

How can Tenable help put these insights to work for you?

Tenable offers software-as-a-service (SaaS) solutions and expertise, such as Tenable Cloud Security, a unified cloud security posture and vulnerability management solution that can be applied to support many of the SANS findings, no matter where you are in your journey:

  1. To improve management buy-in, and foster DevSecOps collaboration Tenable Cloud Security offers executives and DevSecOps practitioners integrated role-based dashboards that offer the targeted insights each needs to make better security decisions for their respective functions. For example, an overarching Cyber Exposure Score allows executives and cloud security architects to assess their organization's overall cloud security posture as compared to industry peers and justify investment decisions.
  2. To ease the pain of securing mixed-provider cloud environments, Tenable Cloud Security supports popular best practices like Center for Internet Security (CIS) benchmarks out-of-the-box and applies them consistently across cloud providers, and technologies — from virtual machines to cloud native architectures using infrastructure as code (IaC), containers, and Kubernetes. It also allows for the definition of custom policy-as-code to meet unique requirements.
  3. To enforce compliance at scale, Tenable Cloud Security enables compliance testing for critical regulatory frameworks, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and others across all runtime environments — dev, test, staging and production — and provides automated compliance reporting, drift detection and alerting when runtime configurations deviate from compliance.
  4. To ensure security tests are applied within CI/CD pipelines, Tenable Cloud Security integrates with popular CI/CD tools and applies an extensive knowledge base of 1,500 policies, and 72,000 vulnerabilities from Tenable Research, to identify misconfigurations in IaC and vulnerabilities in images and to provide automatic guardrails to notify or prevent deployment for severe violations.
  5. To drive greater automation across build and release workflows, Tenable Cloud Security provides additional testing options for DevSecOps teams, including testing of code by developers on their desktop, integration and testing of source code management repositories and the ability to create automated pull requests that include compliant code that developers can accept with just a click, or security teams can set for auto-remediation.

了解详情

相关文章

您是否易受最新漏洞利用的攻击?

输入您的电子邮件以在收件箱中接收最新的 Cyber Exposure 警报。

tenable.io

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable.io Vulnerability Management 试用版还包括 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

tenable.io 购买

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65 项资产

选择您的订阅选项:

立即购买

免费试用 Nessus Professional

免费试用 7 天

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买 Nessus Professional

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买多年期许可,即享优惠价格添加高级支持功能,获取一年 365 天、一天 24 小时的电话、社区和聊天支持。

选择您的许可证

购买多年期许可,即享优惠价格

添加支持和培训

Tenable.io

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable.io Vulnerability Management 试用版还包括 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

Tenable.io 购买

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65 项资产

选择您的订阅选项:

立即购买

试用 Tenable.io Web Application Scanning

完整享有专为现代化应用程序而设、属于 Tenable.io 平台组成部分的最新 Web 应用程序扫描功能。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。 立即注册。

Tenable Web Application Scanning 试用版还包括 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.cs Cloud Security。

购买 Tenable.io Web Application Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 个 FQDN

$3,578

立即购买

试用 Tenable.io Container Security

完整获得已集成至漏洞管理平台之唯一容器安全产品的功能。监控容器映像中的漏洞、恶意软件和策略违规。与持续集成和持续部署 (CI/CD) 系统进行整合,以支持 DevOps 实践、增强安全性并支持企业政策合规。

购买 Tenable.io Container Security

Tenable.io Container Security 经由与构建流程的集成,可供全面了解容器映像的安全性,包括漏洞、恶意软件和策略违规,借以无缝且安全地启用 DevOps 流程。

试用 Tenable Lumin

通过 Tenable Lumin 直观呈现及探索 Cyber Exposure,长期追踪风险降低状况,并比照同行业者进行基准度量。

Tenable Lumin 试用版还包括 Tenable.io Vulnerability Management、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

购买 Tenable Lumin

联系销售代表,了解 Lumin 如何帮助获取整个企业的洞见并管理网络安全风险。

试用 Tenable.cs

获取检测和修复云基础设施错误配置以及查看运行时漏洞的完全访问权限。立即注册,免费试用。

Tenable.cs Cloud Security 试用版还包括 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.io Web Application Scanning。

联系销售代表购买 Tenable.cs

联系销售代表,了解有关 Tenable.cs 云安全的更多信息,并了解如何轻松加入您的云帐户,并在几分钟内获得云错误配置和漏洞的可见性。

免费试用 Nessus Expert

免费试用 7 天

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

已经有 Nessus Professional?
免费升级到 Nessus Expert 7 天。

购买 Nessus Expert

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

选择您的许可证

促销价格已延长到 2 月 28 日。
购买多年许可证,节省幅度更大。

添加支持和培训