Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

To Boost Software Supply Chain Security, Stop the Finger-Pointing

To boost DevSecOps, stop the blame game

Google’s annual DevOps report finds that organizations with a low-blame, collaborative approach have stronger app dev security practices. 

For the first time in eight years, the “Accelerate State of DevOps Report” from Google’s DevOps Research and Assessment (DORA) team zooms in on software supply chain security.

It’s further proof of the growing importance of protecting application development environments, which attackers increasingly target to stealthily deliver malware via legit software-release channels.

A key takeaway from the report is quite revealing: Team culture, not technology, is the most important factor at play when it comes to effectively securing the software development lifecycle (SDLC).

“High-trust, low-blame cultures focused on performance were 1.6x more likely to have above average adoption of emerging security practices than low-trust, high-blame cultures focused on power or rules,” reads the report.

This type of team culture promotes cooperation, shared accountability and a willingness to learn from mistakes. It likely encourages DevOps team members to be proactive about security and to feel comfortable about reporting security issues, according to the report.

Study: To boost software supply chain security, stop the finger-pointing

The study is based on a global poll of more than 1,350 respondents who work primarily in software development or engineering teams; DevOps or site reliability engineering (SRE) teams; and IT operations or infrastructure teams.

Survey questions about security topics were based on the defensive measures of the Supply Chain Levels for Software Artifacts (SLSA) framework and of the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF.)

Here are other key findings from the report:

  • A majority of respondents have at least partially adopted every SLSA and SSDF practice mentioned in the report, meaning that supply-chain security practices have been broadly put into practice, but plenty of room for growth remains. 
  • Organizations that use public cloud platforms are more likely to incorporate SLSA practices in particular, probably because cloud providers encourage and facilitate SLSA adoption.
  • Having a continuous integration and delivery (CI/CD) pipeline for software releases is critical because it offers an integration platform for supply chain security practices, such as vulnerability scanning and code analysis.
  • Developers expressed a desire to run scans on their workstations before sending code to the CI/CD pipeline, so they can assess the security of their software components – especially open source ones – earlier.
  • DevOps teams can do better at reducing friction between security and development processes, as 56% of respondents said that security practices slow down their application development process.
  • Benefits of adopting supply-chain security processes extend beyond security risk reduction, and include having DevOps pros who suffer from less burnout and are more likely to recommend their team as a great place to work.

Some of respondents’ most widely adopted SDLC security practices were: 

  • Having a centralized CI/CD system
  • Monitoring public information regarding software vulnerabilities
  • Preserving code history
  • Analyzing and testing code continuously for vulnerabilities
  • Reviewing security requirements regularly
  • Defining builds exclusively through scripts
  • Keeping builds isolated from each other
  • Storing build definitions and configurations in text files in a version control system

Learn more

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training