OpenText has partnered with Secure Code Warrior to make it simpler for application developers to learn best DevSecOps practices as needed.

Dylan Thomas, senior director of product and engineering at OpenText, said organizations that adopt Open Fortify code scanning tools and services can now seamlessly give developers access to the security training tools created and maintained by Secure Code Warrior.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

The overall goal is to reduce the level of friction application developers might encounter when they need to learn new security skills, he added.

Additionally, organizations from a billing perspective now have a single point of contact to streamline vendor management, noted Thomas.

Application developers, as a rule, don’t set out to create an insecure application, but unless issues are surfaced at the time they are writing code they will continue to make mistakes. In addition to surfacing issues using code scanning tools, OpenText is now making it easier for developers to resolve issues by consulting the corpus of application security training content that Secure Code Warrior curates.

Additionally, Secure Code Warrior will use findings from OpenText code analysis tools to extend the scope of the training it provides, and OpenText will be exposing that training content to the portfolio of artificial intelligence (AI) agents it is developing.

That’s crucial in an era where more security issues are being traced back to flaws that were created when an application was developed. A recent OpenText survey, for example, found that 62% of respondents who worked for organizations impacted by a ransomware attack in the past year later discovered the issue originated with a partner that was part of their software supply chain.

In general, the training provided by Secure Code Warrior is more effective because of the gamification techniques it employs to engage application developers more deeply to enable organizations to embrace secure-by-design principles, said Thomas.

Less clear, however, is the degree to which organizations are prioritizing the adoption of best DevSecOps practices. A Techstrong Research survey finds less than half (47%) of respondents work for organizations that regularly employ best DevSecOps practices. Only 54% of respondents regularly practice code scanning for vulnerabilities during development, while 40% conduct security testing, the survey finds.

On the plus side, a full 59% of respondents said they are also making further investments in application security, with 19% describing their investment level as high. Nearly two-thirds (64%) also noted they are specifically investing in a code scanning tool, with 24% describing those investments as high.

Ultimately, the easier it becomes for developers to do the right thing the more likely it becomes that application security will generally improve. There may never come a day when there is such a thing as perfect security but it should be feasible to eliminate the types of security mistakes that are all too commonly made today. After all, the simple truth of the matter is that when it comes to vulnerabilities in software there are simply too many of them for cybercriminals to easily exploit.