Businesses failing to grasp DevSecOps

Although a growing number of businesses are combining their applications development and IT operations teams, integration of DevOps with security operations is lagging behind.

This is the main finding of research commissioned by global technology services provider Claranet, which found that despite the fact that 88% of UK businesses have either adopted a DevOps approach or plan to adopt one in the next couple of years, only 19% are fully confident in their ability to integrate security.

This lack of confidence about integrating security, known as DevSecOps, underlines the potential data security risks that businesses are creating for themselves, the research report said. This is especially given how DevOps tends to outpace traditional security controls and the work that needs to be done within IT departments to embed and automate security best practices into the DevOps lifecycle.

The research, conducted by market research firm Vanson Bourne, included 300 respondents from businesses in the UK and US. It found that just under half (47%) of UK organisations have adopted a DevOps approach, with an additional 41% planning to make this a reality in the next couple of years, indicating that DevOps is becoming a de facto way of working for many IT departments.

However, when considered alongside the fact that a fifth of organisations doubt their capability to deliver DevSecOps, the research report said it becomes clear that there is a significant disconnect between DevOps capabilities and DevSecOps readiness.

This lack of full emphasis on security as part of the DevOps process could lead to data security issues further down the line, the report warns.

Commenting on the findings, Sumit Siddharth, director at NotSoSecure (a Claranet Group company), said embracing DevOps is clearly at the forefront of the minds of the majority of IT leaders across the UK, which provides some cause for encouragement.

“But the overall lack of integration of security best practices into this process shows that, for many businesses, security is still being considered as something that is administered separately to the development lifecycle, rather than incorporated into it from end to end,” said Siddharth.

Given the frequent development cycles that are an inherent characteristic of DevOps, Siddharth said that seeing security as a separate entity can slow processes down and reduce efficiency.

“This either compromises the agility which is so central to any DevOps philosophy, or leads to windows where vulnerabilities can be released and won’t be spotted until the next security testing cycle,” he added.

To remedy this issue and help the IT department to effectively transition to a DevSecOps approach, he said that training of staff throughout the IT department is essential, as is the adoption of new approaches to security testing and continuous monitoring and analytics throughout the DevOps lifecycle.

“To do this, businesses should be willing to enlist the expertise of third parties who are well-versed in meeting the DevSecOps challenge,” he said.

While the benefits of DevSecOps are clear, Siddharth said making it a reality is a complex process. “Working out how to implement and automate application security – such as continuous monitoring and static analysis – within existing continuous integration/Continuous development pipelines takes time and effort, so it’s important that organisations receive in-depth guidance in how to make this happen,” he added.

Newer approaches to security testing, such as continuous security testing, he said, need to be used to ensure any testing approach is keeping up with the rate of change DevOps approaches allow for. 

“This guidance should be tailored to everyone involved in the DevSecOps process. Development teams need to be trained in order to heighten their security awareness and figure out how they can work with their security-focused colleagues, and security personnel will benefit from learning how their role fits within the wider DevOps ecosystem. If these formerly disparate components can be brought together, an effective DevSecOps philosophy will follow as a matter of course,” he said.