Lack of Security Training Hinders DevOps Success

With large-scale cyber-attacks becoming more frequent, security is more critical than ever, especially in fast-paced DevOps environments. But software developers are not receiving the security training they need, impeding the evolution to DevSecOps, the practice of integrating security into software development and testing. That could have real impact on the productivity of businesses in every industry, as well as on the security and quality of the software that underpins the digital economy. The "2017 DevSecOps Global Skills Survey" shows that three out of four DevOps professionals were not required to take any security courses to obtain a computer science or other IT-related college degree. As a result, many organizations are having great difficulty finding DevOps experts with adequate knowledge of security testing. Yet enterprises aren't providing that training in the workplace, according to most of the IT professionals surveyed. Not surprisingly, then, nearly one-third of them believe their IT workforce is unprepared to securely deliver software at DevOps speeds, and IT organizations increasingly struggle to fill out their IT teams with the right mix of skills. "This research highlights that the skills gap is real, and that there are no clear shortcuts to address it," said Maria Loughlin, senior vice president of engineering for Veracode, which commissioned the survey. "The industry will have to come together to address that gap and ensure the safety of the application economy. Organizations should be prepared to teach and supplement security education if necessary, given the ever-changing nature of programming languages and frameworks." The study, conducted for Veracode by DevOps.com, surveyed nearly 400 DevOps professionals globally, focusing on developers and operations experts, with a smattering of security and QA professionals in the mix.