Veracode: DevOps skills gap filled by 'on the job' education

There are many truths in DevOps.

We know that good DevOps will kill DevOps, ultimately. Or to be clearer, effective implementation of DevOps principles could help to ultimately dissolve and eradicate the job title itself, but not the working practices, tools and procedural methods of DevOps.

We also know that DevOps will continue to be the subject of surveys… (and here’s another truth) and, as we know, there’s an old saying in marketing and public relations: when there’s no news, do a survey.

How to read a survey

When you read the term ‘new research shows’, train your brain to read ‘new research suggests that a firm has asked contrived questions with the aim of narrowing answers into a specific slant to produce survey results that run in line with its core approved set of corporate messages’… and then you can take surveys with an appropriate pinch of salt.

Appropriately salt-seasoned and oven-ready then, let us consider the survey ‘findings’ coming out of work carried out by security focused application behavioural analysis and software composition analysis firm Veracode (now part of the CA Technologies).

NOTE: Readers can find a new piece on this story at: Developers lack skills needed for secure DevOps, survey shows.

Veracode’s message is suggesting that software developers are not receiving the training they need to be successful as DevOps becomes the prevalent approach to building and operating digital products and services.

The 2017 DevSecOps Global Skills Survey sponsored by Veracode and notes that those surveyed said that their IT workforce is only somewhat prepared (55 percent) or not prepared (nearly 30 percent) with the skills necessary to securely deliver software at the speed of DevOps.

“In fact, nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose DevOps gurus with sufficient knowledge about security testing,” said Veracode, in a canned press statement.

It’s on the job that counts

Although nearly 80 percent of respondents have a bachelor or master’s degree – with 50 percent reporting that they studied and earned degrees in computer science – there is still a lack of cybersecurity knowledge prior to entering the workforce. The survey suggests that 70 percent of respondents said the security education they received is not adequate for what their current positions require and that they’re learning their most relevant professional skills on the job (65 percent).

“WannaCry and Petya are just two recent examples of large-scale cyberattacks that further demonstrate the importance of security in today’s exceedingly digital world. Despite this apparent need, security practices and secure software development isn’t required to earn a degree in IT or computer science,” said Maria Loughlin, VP of engineering, Veracode. “Our research with highlights the fact that there are no clear shortcuts to address the skills gap. Higher education and enterprises need to have a more mature expectation around what colleges should teach and where organisations need to supplement education given the ever-changing nature of programming languages and frameworks. The industry will have to come together to ensure the safety of the application economy.”

According to the survey, slightly less than half of respondents said their employers paid for additional training since their entry into the workforce – and nearly seven in 10 developers report that their organisations provide them with inadequate security training.

Third-party training, either in the classroom or through e-learning, was identified by one in three surveyed as the most effective way to gain new, relevant skills – but the study suggests that very few are afforded the opportunity (four percent).