Understanding the Reality of Secure DevOps
November 14, 2016

Ashish Kuthiala
Hewlett Packard Enterprise

As organizations continue to adopt a more collaborative DevOps model, many face a common challenge: effectively integrating security practices into the application development lifecycle process. This challenge was brought to light in a new Application Security and DevOps Report from Hewlett Packard Enterprise (HPE).

According to the report, virtually all IT operations professionals, security leaders and developers (99 percent) agree that adopting a DevOps culture has the opportunity to improve application security. However, only 20 percent are actually conducting application security testing today during the development process.

Even more troublesome, 17 percent of respondents say they are not using any security technology to protect their applications. This statistic highlights a significant disconnect between the perception and the reality of secure DevOps.

DevOps shows great promise for secure software development. It provides organizations with the ability to test for, find and remediate security vulnerabilities earlier and more frequently in the application lifecycle as a result of continuous testing. Security flaws in software are not different from other software bugs – the earlier you detect and fix them, the greater the potential to prevent negative fallouts later on in the cycle. It is much more cost effective and efficient to catch a security flaw earlier in the software development cycle than to hear about it from customers using your application. If you wait to repair a flaw, you have to invest significantly more resources and time to fix the flaw in customer environments (than you would in dev) and you also risk damaging your brand and losing revenue.

However, DevOps is not a magic bullet that automatically makes applications more secure. In fact, DevOps can actually compound the issue if security is not built into the development process. Applications are being developed and released faster than ever before and the lack of an integrated approach can lead to greater security holes. Therefore it is critical that security and DevOps are incorporated and work seamlessly together.

The report shows that there are significant barriers and gaps which prevent organizations from successfully integrating security into the DevOps processes. Some of the key findings include:

Organizational challenges between security professionals and developers: The report reflected a significant disconnect between developers and security teams. In some cases, respondents admitted to not even knowing who their security colleagues were. Ninety percent of security professionals also stated that integrating application security has become more difficult since their organizations have deployed DevOps.

Lack of security awareness, emphasis, and training for developers: Out of more than 100 job postings for software developers at Fortune 1000 companies, none specified security or secure coding experience or knowledge as part of the skills required.

Shortage of application security talent: For every 80 developers in the organizations surveyed, there is only one application security professional. The lack of appropriately staffed security personnel, along with increasingly rapid development cycles, makes secure development extremely difficult.

The report offers the following recommendations to bring down these barriers and achieve better integration of security experts within DevOps teams as organizations continue to adopt DevOps practices:

Make security a shared responsibility across the organization to eliminate barriers: Security must be embedded throughout every stage of the development process, with executive support and metrics to hold teams accountable for secure development. These metrics should focus on mean-time-to-triage (MTTT), mean-time-to-fix (MTTF), and program compliance.

Make it seamless and more intuitive for developers to practice secure development by bridging awareness, emphasis, and training gaps: Organizations should integrate security tools into the development ecosystem to allow developers to find and fix vulnerabilities in real-time as they write code. This makes it easy and efficient to develop software securely, and educates the developer on secure coding in the process.

Leverage automation and analytics to streamline application security: Organizations should leverage enterprise-grade application security automation with analytics built in during the testing audit process. This allows security professionals to focus only on the highest priority risks, reducing the number of security issues that require manual review, saving both time and resources, while lowering overall risk exposure.

Both security practitioners and developers believe that the DevOps movement has the potential to significantly improve application security. Yet, organizations are struggling to realize that potential. By integrating security into the development cycles early on and making it part of the development lifecycle culture, organizations can successfully secure software in this new DevOps world without impeding the speed and agility that it brings.

Ashish Kuthiala is Senior Director of Marketing and Strategy, Hewlett Packard Enterprise DevOps.

Share this

Industry News

February 29, 2024

ManageEngine, the enterprise IT management division of Zoho Corporation, announced the integration between Endpoint Central, its flagship unified endpoint management solution, and Check Point's Harmony Mobile, a leading mobile threat defense solution, to help IT security teams automate the remediation of mobile threats.

February 29, 2024

Stack Overflow and Google Cloud announced a strategic partnership that will deliver new gen AI-powered capabilities to developers through the Stack Overflow platform, Google Cloud Console, and Gemini for Google Cloud.

February 29, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Falco, a cloud native security tool designed for Linux systems and the de facto Kubernetes threat detection engine.

February 28, 2024

JFrog announced a new technology integration with Qwak, a fully managed ML Platform, that brings machine learning models alongside traditional software development processes to streamline, accelerate, and scale the secure delivery of ML applications.

February 28, 2024

ServiceNow, Hugging Face, and NVIDIA, announced the release of StarCoder2, a family of open‑access large language models (LLMs) for code generation that sets new standards for performance, transparency, and cost‑effectiveness.

February 28, 2024

GMO GlobalSign announced the availability of an Issuer for Kubernetes cert-manager.

February 27, 2024

MacStadium announced the launch of its online community to deepen the connections of application developers through knowledge sharing and collaboration.

February 27, 2024

Octopus Deploy announced the acquisition of Codefresh Inc.

February 26, 2024

Intel announced its new Edge Platform, a modular, open software platform enabling enterprises to develop, deploy, run, secure, and manage edge and AI applications at scale with cloud-like simplicity.

February 26, 2024

Tray.io announced AI-augmented API Management, a new Tray Universal Automation Cloud capability that turns any new or existing workflow into a reusable API, significantly decreasing the technical debt associated with the operational effort and costs of traditional API management (APIM).

February 26, 2024

Bitwarden Secrets Manager is now integrated with Ansible Playbook.

February 22, 2024

Check Point® Software Technologies Ltd. introduces Check Point Quantum Force series: an innovative lineup of ten high-performance firewalls designed to meet and exceed the stringent security demands of enterprise data centers, network perimeters, campuses, and businesses of all dimensions.

February 22, 2024

Tabnine announced that Tabnine Chat — the enterprise-grade, code-centric chat application that allows developers to interact with Tabnine AI models using natural language — is now available to all users.

February 22, 2024

Avaamo released Avaamo LLaMB™, a new low-code framework for building generative AI applications in the enterprise safely, securely, and fast.

February 21, 2024

CAST announced the winter release of CAST Imaging, an imaging system for software applications, with significant user experience (UX) enhancements and new features designed to simplify and accelerate processes for engineers who develop, maintain, modernize, complex software applications.