Addressing Software Exposure Within the DevOps Cycle
August 16, 2018

Maty Siman
Checkmarx

There once was a time in software development where developers could design, build and then think about their software's security. However in today's highly connected, API-driven application environment, this approach is simply too risky as it exposes the software to vulnerabilities.

To help organizations better understand the evolving nature of software delivery and the critical role security plays from start to finish, a new report, Managing Software Exposure: Time to Fully Embed Security into Your Application Lifecycle, was released by Checkmarx in coordination with FreeForm Dynamics and The Register. The results identify challenges associated with software exposure and security within the DevOps cycle and how organizations can best overcome them.

Among key findings:

Gaps exist between theory and practice when it comes to security's role in DevOps

96 percent of respondents reported that it is "desirable" or "highly desirable" for developers to be properly trained on how to produce secure code

Although there is no how-to guide when it comes to security today, the study found that a major gap exists between what's needed and what's actually in place among organizations surveyed. In fact, 96 percent of respondents reported that it is "desirable" or "highly desirable" for developers to be properly trained on how to produce secure code. Yet, 41 percent still agree that defining clear ownership and responsibility in relation to software security remains a challenge.

While true that there is an apparent desire for a "shift left" approach, ops teams can't be the only ones responsible for implementing it. Developers must not be overlooked when it comes to security and should actually be the ones pioneering an earlier adoption of security within the development process. Which leads us to the question of, why isn't this already happening if both parties consider it a priority?

According to the study, just 11 percent of respondents say they have adequately addressed the need for developer education in this area. Therefore, it's clear that more can be done from an organizational perspective to encourage a "shift left" approach within DevOps.

Don't alienate the C-Suite from security conversations

Now more than ever, c-level executives need to understand the crucial role security plays within their organizations. It takes just one data breach or hack for a brand's reputation to completely crumble, leaving C-level executives responsible and often times blind-sided.

45 percent of respondents still find it challenging to secure senior management approval for funding and security training

According to the survey, 57 percent of respondents "strongly agree" or "agree" with the statement that software security is now a boardroom issue. It's a matter of business risk. To ensure greater software security, developers and security teams must have the support from their executive teams. The catch? 45 percent of respondents still find it challenging to secure senior management approval for funding and security training. A catch-22 when circling back to the gap that exists between theory and practice as it relates to security's role in DevOps.

Furthermore, 44 percent of those surveyed felt that executives don't actually care about how quickly, frequently and safely developers deliver software, it just needs to be done.

Everyone involved with the DevOps cycle needs to work together

72 percent of respondents agree that different teams and disciplines within IT are still too reluctant to trust and work with one another

Developers, testers, security specialists and ops staff need to work together in order to be successful. It's not news that there has been a culture of inefficiency and miscommunication between developer and operations teams. The report found that even though DevOps culture removes many of the barriers between these two departments, 72 percent of respondents still agree that different teams and disciplines within IT are still too reluctant to trust and work with one another.

The bottomline is that in order to prevent software exposure throughout the development lifecycle, it is essential that we first work to resolve the issue of ownership and responsibility, helping to unite employees of diverse skill levels and experiences igniting a sense of mutual trust and respect.

Maty Siman is CTO and Founder of Checkmarx
Share this