How many reports are needed to answer the important questions about the security of the software supply chain? This week we look at five recent studies, with a focus on CI/CD and open source. As always, the analysis goes beyond the press release-based reporting you may have read elsewhere.

First off, we want to announce that the results of a poll The New Stack conducted April 14 through May 5, 2020. Access to the raw data and tabulated results are in a publicly available workbook. We aren’t trumpeting the results with fancy charts because the sample size was small (79), but the answers add context to our analysis of the other surveys. For example, almost three quarters (58 of 79) think the percentage of software component dependencies that are out-of-date (i.e., a newer version has been released) should be a performance metric for DevOps teams. A Synopsys study found that 82% of analyzed codebases have components that have not been updated in the last four years. The industry will need to get more granular before this type of KPI can be truly be implemented.

Although our question dealt with the DevOps role, another survey, this one from GitLab, found that there continue to be problems getting developers to be accountable for finding code vulnerabilities. We’ve previously noted that there are many problems when security is a shared responsibility. Our findings indicate that the types of tools the security team accesses are substantially different depending on which team has a leading role in selecting tooling used in the deployment or release management stage of the CI/CD pipeline.

Snyk’s State of Open Source Security Survey is still in the field and looks at how and when container images are analyzed for security. Based on our findings, we expect security teams are more interested in scanning container images as compared to other job roles.

#ci/cd #devops #security #research