DevOps and Security Teams Are Still in Silos
- 1 of
-
DevOps and Security Teams Are Still in Silos
Although DevOps holds tremendous promise for more secure software development, serious issues are hindering organizations from integrating security and DevOps. -
Most See Potential
99% of the IT operations professionals, security leaders and developers surveyed believe that adopting a DevOps culture can improve application security. -
But Few Follow Through
Only 20% are performing application security testing during development. -
And Some Do Nothing
And 17% are not using any technologies to protect their apps. -
All See Integration as Key
100% of the respondents state that integration is key to the success of an application security program. -
But Most Say It's Harder With DevOps
Yet 90% of security professionals say that integrating application security has become more difficult since the deployment of DevOps. -
Security Gets Little Attention
Of 100+ job postings for software developers at Fortune 1000 companies, none mentioned security or secure coding experience and knowledge. -
Little Crossover
Only 15% of chief security officers (CISOs) have a background in development. -
Security Pros Far Outnumbered
80:1 is the ratio of developers to security professionals in the organizations surveyed. -
DevOps Gains Ground
90% of organizations surveyed have at least 5% of their development teams practicing DevOps, typically with small pilot programs. -
But Some Don't Know That
30% of those who said their organization was not practicing DevOps were in fact deploying some capabilities considered part of the DevOps process.
In theory, a DevOps culture stressing communication between software developers and IT operations professionals can improve application security by enabling organizations to find and fix issues more frequently and earlier in the process. In practice, however, security often takes a back seat to speed and innovation during software development, especially with the growing emphasis on rapid application delivery. A recent study by Hewlett Packard Enterprise titled "Application Security and DevOps Report 2016" reveals that few DevOps programs actually include security as part of the process. Only one in five of the 500 IT operations professionals, security leaders and developers surveyed said their organization conducts any application security testing during development. Even more alarming, almost as many aren't using any technologies to protect their applications. Most organizations adopting DevOps are relying on the technologies downstream, such as pre-production penetration testing and network security, to protect apps. The vast majority of respondents said integrating application security into the process has actually become more difficult since their organization deployed DevOps. The study cites a widespread lack of security awareness and training for developers, as well as a shortage of security talent in the enterprises included in the study. Unless organizations address the disconnect between developers and security teams, problems could worsen in DevOps environments, the study authors advise. They recommend that security be embedded throughout every stage of the development process, with executive support and metrics to hold teams accountable, and that security tools be integrated into the development ecosystem.