DevOps, which delivers faster software updates, can help prevent the flood of profiles exposed due to data breaches, but Google research finds that existing methods fail task at hand.
Google surveyed 33,000 tech professionals to discover how DevOps – that is, aligning software development with IT operations – impacts cybersecurity as part of its annualization. DevOps Status Reporting Acceleration. As it notes, more 22 billion records was exposed in 2021 through 4,145 breaches that were made public.
The report comes out as Australian telecommunications company Optus dealing with fallout from a major breach that exposed the personally identifiable information (PII) of nearly 10 million residents after an internet hacker attacked application programming interface (API) on a cloud-hosted endpoint that requires no password to access.
Google’s survey focuses on software supply chain security – an area of security that has received more attention after t…he attacked SolarWinds in 2020 and open source This year’s Log4Shell vulnerability. These two cases changed the way the tech industry manage software development processes and use components, such as libraries and language packs in other products and services.
DevOps aims to accelerate software release while maintain quality and increasingly focus on security updates. But how much has changed since the SolarWinds and Log4Shell breach?
To estimate this, Google used Software Bill of Materials (SBOM) concept that the White House instructs federal agencies of the United States to implement by 2021, called Supply chain levels for Safety Artifacts (SLSA).
One of Google’s main ideas is that for large open source projects, two developers should cryptographically sign the change generated source code. This method will prevent state-sponsored attackers from compromising SolarWinds’ software build system by installing an implant into a backdoor during each new build. Google also uses NIST’s Safe Software Development Framework (SSDF) as the baseline in the survey.
Google found that 63% of respondents used application-level security scanning as part of a continuous integration/continuous delivery (CI/CD) system for production releases. It also found that most developers are keeping code history and using build scripts.
That’s a reassuring trend, even though less than 50% of the practice is doing two-person reviews of code changes, and only 43% are signing metadata.
“The software supply chain security approaches embodied in SLSA and SSDF have shown modest adoption, but there is still room for more.” concluding report.
Keeping employees happy can also change security outcomes. Google has found that employers who give employees a hybrid option perform better and experience less burnout.
“The results show that organizations with higher levels of employee flexibility have higher organizational performance than organizations with more structured work. These findings provide evidence that giving employees the freedom to modify their work arrangements as needed provides direct and tangible benefits to the organization”. Google Notes.
Google stepped into the murky realm when it asked respondents to forecast how work would affect future bugs by asking them to predict the likelihood of a security breach or outright failure. in the next 12 months.
People who work at “high-performing organizations are less likely to make major errors,” Google said.
