Securing software development environments is top concern for security leaders, according to latest global survey

Eran Orzel
Apr 09 · 2 min read
securing software development environment

Today, CI/CD pipelines form the backbone of modern-day DevOps operations.

Over the past few years, the software development industry has pivoted to a continuous integration and delivery process (CI/CD) that offers application developers a faster and more automated way to develop, build, test, and deploy new software.

But these improvements come at a cost — CI/CD pipelines create a new attack surface for organizations introducing new security risks and challenges. The new process runs the company’s source code through a series of cloud-based services and open-source tools, all of which are now a part of its network.

In the past two years, we’ve seen dozens of security breaches and cyberattacks that exploit misconfigurations and vulnerabilities within development environments. Companies like SolarWinds, Microsoft, Mercedes, and many others fell victim to such attacks on their software supply chain.

 

Following the SolarWinds breach, Argon Security partnered up with Hyperwise Ventures, a leading cybersecurity VC to seek answers about the state of security of the development environments. In this global survey, we surveyed more than 200 security leaders regarding the security state of their software development environment and the risks and challenges they are facing.

The survey revealed that although 90% of the organizations rely on CI/CD pipelines for software delivery, using two or more tools, the level of confidence in the security of these development environments is very low. Additionally, 80% of leaders surveyed said they lack confidence in their ability to withstand an attack targeting their development environments.

The main risks highlighted in the survey from software supply chain breaches were:

  • Lack of security over the CI/CD pipelines might create a backdoor to the organization’s network and infrastructure.
  • Access to the CI/CD tools that enable the attackers to tamper with the code or inject vulnerability to the application as part of the CI/CD pipeline.
  • User misconfigurations that might result in code and secret leaks.

 

Although the risks are top of mind, only 30% of people surveyed deploy dedicated protection on their CI/CD pipeline, but even then, it’s mainly using siloed point solutions.

When asked about the reason behind this gap, the security leaders raised three main recurring challenges:

  • High complexity — as there are more than 100 different pipeline tools connected by DevOps scripts – there is no industry standard and no two pipelines look alike.
  • Limited cooperation between the R&D teams building and running the pipelines and the security teams who are responsible for securing the organization. Without visibility of the pipeline and collaboration with the DevOps teams, it’s difficult to enforce proper security measures.
  • The development team’s motivation is around release speed, so it’s hard to enforce security practices over the developers as it’s not a key focus for them.

 

Overall, there’s substantial agreement among security leaders that securing the CI/CD pipeline would improve their overall security posture. Most security leaders surveyed state that CI/CD security is in their plans for the next 24 months.

Argon provides security for CI/CD pipelines, eliminating the risk from misconfigurations and vulnerabilities in your DevOps environments. It provides a unified view of the entire development environment and enforces security best practices on all stages of the software delivery process, including real-time alerts and auto-remediation that minimize your exposure.

 

By Eran Orzel, Argon’s Chief Revenue Officer

Eran Orzel
Apr 09 · 2 min read

Related Articles

The importance of having visibility over your pipeline’s plugins...

Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…

Eran Orzel
Jun 21 · 4 min read

The Future of DevSecOps: Webinar Recap

The relevance of DevSecOps has grown in the past years as companies solidify their move towards automating their software delivery…

Nurit Bielorai
Jun 14 · 4 min read

Jenkins 101: Common Misconfigurations & How to best Secure it?

What is Jenkins and it’s Logo about? Jenkins is the most widely-used CI/CD tool today. As the world moves from…

Eylam Milner
Jun 07 · 4 min read

End-to-End CI/CD Security Platform

open source vulnerability scanner