DevOps and Security Teams Are Still in Silos
In theory, a DevOps culture stressing communication between software developers and IT operations professionals can improve application security by enabling organizations to find and fix issues more frequently and earlier in the process. In practice, however, security often takes a back seat to speed and innovation during software development, especially with the growing emphasis on rapid application delivery. A recent study by Hewlett Packard Enterprise titled "Application Security and DevOps Report 2016" reveals that few DevOps programs actually include security as part of the process. Only one in five of the 500 IT operations professionals, security leaders and developers surveyed said their organization conducts any application security testing during development. Even more alarming, almost as many aren't using any technologies to protect their applications. Most organizations adopting DevOps are relying on the technologies downstream, such as pre-production penetration testing and network security, to protect apps. The vast majority of respondents said integrating application security into the process has actually become more difficult since their organization deployed DevOps. The study cites a widespread lack of security awareness and training for developers, as well as a shortage of security talent in the enterprises included in the study. Unless organizations address the disconnect between developers and security teams, problems could worsen in DevOps environments, the study authors advise. They recommend that security be embedded throughout every stage of the development process, with executive support and metrics to hold teams accountable, and that security tools be integrated into the development ecosystem.