Tech consortium urges adoption of ‘DevQualOps’ model
UPDATED Security vulnerabilities and other software shortcomings cost the US economy more than $2 trillion in 2020, according to a new report.
Operational software failures were by far the biggest contributor, with Home Depot’s recent multi-state data breach settlement of $17.5 million for a 2014 payment card breach cited as one egregious example.
The research, published today (January 6) by the Consortium for Information & Software Quality (CISQ), estimates the total cost of these failures at $1.56 trillion – a 22% jump on the 2018 figure (PDF).
What’s more, this number could underestimate the true cost of what are usually unresolved application flaws, given that many failures go unreported, says the report, which is sponsored by Undo, Synopsys, and OverOps.
During a bumper two years for cyber-crooks, “exploitable weaknesses and vulnerabilities in software” were “the largest growth area by far” in cybercrime, a trend likely to continue, said Herb Krasner, member of CISQ’s advisory board and author of the report.
Problems with legacy systems, meanwhile, incurred costs of around $520 billion, while the cost of unsuccessful development projects – around one in five of all projects – led to costs of approximately $260 billion.
Separately, technical debt was valued at $1.31 trillion (not including interest).
Ballooning attack surface
Cybersecurity budgets are set to increase amid widespread exploitation of the Covid-19 pandemic by cybercriminals and the ballooning attack surface, with billions of lines of new software code being written each year.
Despite these expanding budgets, however, Krasner raised concerns about how the global cybersecurity skills gap was forcing software engineers to build software out of open source components without necessarily understanding whether or not they contained security vulnerabilities.
Preventing vulnerabilities should be the priority, said Krasner. Failing that, organizations must “address weaknesses and vulnerabilities in software by isolating, mitigating, and correcting them as closely as possible to where they were injected to limit the damage done.”
The CISQ report recommends that, among other things, development teams measure undertake “early and regular analysis of source code to detect violations, weaknesses, and vulnerabilities”, and understand “typical vulnerabilities and exploitable weaknesses attributable to certain programming languages”.
‘Start, define, measure, manage’
Fundamental to achieving these goals is progressing beyond agile and DevOps models, where the testing and commitment of “small, incremental changes” on a “daily, hourly, or even moment-by-moment” basis accelerates development cycles but doesn’t necessarily enhance quality.
Organizations must instead cleave to the so-called ‘DevQualOps’ model, of which DevSecOps is a sub-factor. “A ‘start, define, measure, manage’ approach enables the organization to break free from ‘anything-goes’ approaches to quality and starts the journey towards DevQualOps maturity.”
Joe Jarzombek, director for government and critical infrastructure programs at Synopsys, told The Daily Swig that he expected DevSecOps, and therefore by default DevQualOps, practices to become widely adopted in 2021 because “these best practices and tools are [widely] available for adoption, and organizations have become sensitized to exploitation of their software products.
“As such organizations that have traditionally focused on quality with security as a separate function have sought ways to better integrate security with quality.
He added: “While it would be more correct call this DevQualOps as specified in the CPSQ Report (especially since security is just one characteristic of quality), the term DevSecOps will continue to dominate. Given the overall lax focus on security in the past, it is appropriate to keep DevSecOps in the forefront of adoption (knowing that this is a key part of focusing on quality).
“This has been a long way of saying DevSecOps is becoming more mainstream, even though many organizations are still on the path for full adoption of the applicable practices with the right tools.”
This article was updated on January 6 with comments from Synopsys