Improving DevOps Agility Does Not Mean Sacrificing Data Security
August 01, 2017

Dan Timpson
DigiCert

When was the last time you worked closely with your IT security team? Your CISO may provide you (and every other employee) with guidelines for avoiding ransomware and other types of malware, but that may be the extent of your interactions with the security team. Your top priority is to improve application development agility, but you may run into roadblocks put up by a security team that (mistakenly) believes speed is the enemy of effective cybersecurity. A new survey finds a majority of enterprises are working to overcome those roadblocks by integrating security into their existing DevOps methodology.

That is the key finding of DigiCert's 2017 Inviting Security into DevOps survey. DigiCert polled 300 senior management professionals within IT, DevOps and Security teams with small, medium and large organizations that have already implemented a DevOps posture.

98 percent of respondents say they have made integrating their security teams into their existing DevOps methodology a priority in order to accomplish two primary goals: increase business agility, and improve information security. The market is at a tipping point. About half (49 percent) are working on doing so and half (49 percent) say they have completed the process.

"The faster that we implement something, the more likely it is to have vulnerability issues," said one respondent who is an IT manager for a large central US manufacturing firm. “That's why for us security is so important; it saves us time and money in the long run."

Underscoring the security risk, 59 percent of the respondents say they sometimes or often have rogue certificates (for example, certificates that DevOps purchased, but neglected to tell anyone in Security about, causing problems when they expire).

Integrating security with DevOps is not easy and presents several issues to overcome. To make matters more complex, these challenges can change once the integration process begins.

The top three obstacles in the minds of respondents who are just beginning their efforts are that:

1. The organization structure prohibits integration

2. They lack a champion for the transition

3. The security team doesn't really work well in a team environment

However, that list changes once an enterprise nears completion:

1. Takes too much time

2. Security team resists the change

3. The relationship skills required to integrate the two teams

Note the top challenge cited after integrating was that the transition took too long. Technical teams underestimate the challenge of integrating security into DevOps, thinking the integration will take less than a year (seven to 11 months), whereas those who claim to have completed the process say it took roughly twice as long – on average one to two years.

The latter group has another list, and it's one that should encourage companies that are still in the early stages: how their efforts have improved both security and agility. They are:

■ 22 percent more likely to report they are doing well with information security

■ 21 percent more likely to report doing well meeting app delivery deadlines

■ 21 percent more likely to report doing well at lowering app risk

The survey's findings also reveal four key steps any organization can take to achieve the optimum balance of development agility and information security:

1. Appoint a Social Leader

Identify one person who will drive cultural change by clearly defining IT, security, DevOps roles and integrating the disparate teams.

2. Bring Security to the Table

Place a security lead on all DevOps teams and involve them from the beginning. Limit access, and implement automated PKI to require signing and encrypting everything within the network.

3. Invest in Automation

Automate baseline security practices within DevOps workflow, including: certificate management, patching, vulnerability scanning, stack code analysis.

4. Integrate and Standardize

Implement controls on certificate management processes and integrate with server configuration and orchestration platforms to enable automated security behind the scenes.

If there's one key takeaway of the 2017 Inviting Security into DevOps survey findings, it's this: Integrating security into DevOps is well worth the effort.

“We've found that agility was actually a byproduct of putting security upfront," said a senior project manager at a large metals manufacturer in the northeast. “If you really want to be agile, you don't want to do things twice."

Dan Timpson is CTO at DigiCert
Share this

Industry News

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.

April 10, 2024

Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.

April 10, 2024

AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.

April 09, 2024

Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.

April 09, 2024

Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.

April 09, 2024

appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).

April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

April 09, 2024

DataStax announced innovative integrations with API extensions to Google Cloud’s Vertex AI Extension and Vertex AI Search, offering developers an easier time leveraging their own data.

April 08, 2024

Parasoft introduced C/C++test CT, a comprehensive solution tailored for large teams engaged in the development of safety- and security-critical C and C++ products.

April 08, 2024

Endor Labs announced a strategic partnership with GuidePoint Security.

April 08, 2024

Hasura announced the V3 of its platform, providing on-demand API composability with a new domain-centric supergraph modeling framework, a distributed supergraph execution engine and a rich and extensible ecosystem of open source connectors to address the challenges faced during integration of data and APIs.

April 04, 2024

DataStax has entered into a definitive agreement to acquire AI startup, Logspace, the creators of Langflow, an open source visual framework for building retrieval-augmented generation (RAG) applications.1