Addressing Software Exposure Within the DevOps Cycle
August 16, 2018

Maty Siman

There once was a time in software development where developers could design, build and then think about their software's security. However in today's highly connected, API-driven application environment, this approach is simply too risky as it exposes the software to vulnerabilities.

To help organizations better understand the evolving nature of software delivery and the critical role security plays from start to finish, a new report, Managing Software Exposure: Time to Fully Embed Security into Your Application Lifecycle, was released by Checkmarx in coordination with FreeForm Dynamics and The Register. The results identify challenges associated with software exposure and security within the DevOps cycle and how organizations can best overcome them.

Among key findings:

Gaps exist between theory and practice when it comes to security's role in DevOps

96 percent of respondents reported that it is "desirable" or "highly desirable" for developers to be properly trained on how to produce secure code

Although there is no how-to guide when it comes to security today, the study found that a major gap exists between what's needed and what's actually in place among organizations surveyed. In fact, 96 percent of respondents reported that it is "desirable" or "highly desirable" for developers to be properly trained on how to produce secure code. Yet, 41 percent still agree that defining clear ownership and responsibility in relation to software security remains a challenge.

While true that there is an apparent desire for a "shift left" approach, ops teams can't be the only ones responsible for implementing it. Developers must not be overlooked when it comes to security and should actually be the ones pioneering an earlier adoption of security within the development process. Which leads us to the question of, why isn't this already happening if both parties consider it a priority?

According to the study, just 11 percent of respondents say they have adequately addressed the need for developer education in this area. Therefore, it's clear that more can be done from an organizational perspective to encourage a "shift left" approach within DevOps.

Don't alienate the C-Suite from security conversations

Now more than ever, c-level executives need to understand the crucial role security plays within their organizations. It takes just one data breach or hack for a brand's reputation to completely crumble, leaving C-level executives responsible and often times blind-sided.

45 percent of respondents still find it challenging to secure senior management approval for funding and security training

According to the survey, 57 percent of respondents "strongly agree" or "agree" with the statement that software security is now a boardroom issue. It's a matter of business risk. To ensure greater software security, developers and security teams must have the support from their executive teams. The catch? 45 percent of respondents still find it challenging to secure senior management approval for funding and security training. A catch-22 when circling back to the gap that exists between theory and practice as it relates to security's role in DevOps.

Furthermore, 44 percent of those surveyed felt that executives don't actually care about how quickly, frequently and safely developers deliver software, it just needs to be done.

Everyone involved with the DevOps cycle needs to work together

72 percent of respondents agree that different teams and disciplines within IT are still too reluctant to trust and work with one another

Developers, testers, security specialists and ops staff need to work together in order to be successful. It's not news that there has been a culture of inefficiency and miscommunication between developer and operations teams. The report found that even though DevOps culture removes many of the barriers between these two departments, 72 percent of respondents still agree that different teams and disciplines within IT are still too reluctant to trust and work with one another.

The bottomline is that in order to prevent software exposure throughout the development lifecycle, it is essential that we first work to resolve the issue of ownership and responsibility, helping to unite employees of diverse skill levels and experiences igniting a sense of mutual trust and respect.

Maty Siman is CTO and Founder of Checkmarx
Share this

Industry News

December 11, 2019

Bonitasoft announced that the Bonita platform is now available with advanced low-code features that permit better collaboration between citizen developers and professional developers.

December 11, 2019 announced WebAssembly Hub, a service for building, sharing, discovering and deploying WebAssembly (Wasm) extensions for Envoy Proxy-based service meshes.

December 11, 2019

Datawire unveiled the new Ambassador Edge Stack 1.0, an integrated edge solution that empowers developer teams to rapidly configure the edge services required to build, deliver and scale their applications running in Kubernetes.

December 10, 2019

Redgate Software launched its fourth annual State of Database DevOps Survey.

December 10, 2019

Compuware has signed a definitive agreement to acquire the assets of INNOVATION Data Processing, a provider of enterprise data protection, business continuance and storage resource management solutions serving the mainframe market.

December 10, 2019

Dynatrace announced its Autonomous Cloud Enablement (ACE) Practice to accelerate DevOps’ movement to autonomous cloud operations.

December 09, 2019

NS1, announced the expansion of its suite of integrations to include Kubernetes, Consul, Avi Networks (VMWare NSX), NGINX, and HAProxy.

December 09, 2019

CloudBees announced an extension of its partnership with Google. As a Google Cloud Run launch partner, CloudBees will offer developers more flexibility in their deployment of containerized applications.

December 09, 2019

EPAM Systems has expanded its crowdtesting software solutions to enable user story testing.

December 05, 2019

Parasoft announced the newest release of Parasoft C/C++test, the unified C and C++ development testing solution for enterprise and embedded applications.

December 05, 2019

Datadog announced Security Monitoring, a new product that enables real-time threat detection across the entire stack and deeper collaboration between security, developers, and operations teams.

December 05, 2019

Pulumi announced the availability of Pulumi Crosswalk for Kubernetes, an open source collection of frameworks, tools and user guides that help developers and operators work better together delivering production workloads using Kubernetes.

December 04, 2019

CloudBees announced a Preview Program for CloudBees CI/CD powered by Jenkins X, a Software as a Service (SaaS) continuous integration and continuous delivery solution running on Google Cloud Platform.

December 04, 2019

Rancher Labs announced the general availability of K3s, their lightweight, certified Kubernetes distribution purpose built for small footprint workloads, along with the beta release of Rio, their new application deployment engine for Kubernetes that delivers a fully integrated deployment experience from operations to pipeline.

December 04, 2019

WhiteSource announced a new integration with Codefresh, the Kubernetes-native CI/CD solution.