maciek905 - Fotolia
The importance of factoring security checks into each stage of the software development process is laid bare in 2016’s State of DevOps report, which claims teams that do this end up more efficient.
The report, compiled each year by software automation supplier Puppet, seeks out the opinions of DevOps practitioners to gauge how adoption of the software development methodology is progressing worldwide.
2016’s report features input from more than 4,600 respondents and suggests enterprise appreciation of the benefits DevOps can bring to an organisation – from a business agility and morale perspective – is now firmly established.
“DevOps is no longer a mere fad or buzzword, but an understood set of practices and cultural patterns,” the report said.
“People turn to DevOps not just to improve daily working life and get time back for family, friends and beer, but to improve their organisation’s performance, revenues, profitability and measurable outcomes.”
A top concern addressed by 2016’s report is how to ensure the push to embrace faster and shorter software development cycles does not compromise the quality or robustness of the code that gets produced.
“The more we work with organisations as they progress through their DevOps journeys, the more we hear the same theme: Quality and security are everyone’s responsibility,” the document stated.
“We wanted to confirm that continuous delivery practices made a difference to the quality of the products being built, and see if integrating security throughout the software development cycle yields better outcomes.”
To measure this, the report’s authors asked respondents to comment on the percentage of time their DevOps teams devote to carrying out unplanned work, such as break/fix tasks and the release of emergency patches.
Security concerns with DevOps ‘misplaced’
As previously reported by Computer Weekly, security concerns are often cited as a reason by enterprise IT leaders not to give DevOps projects the greenlight in their organisations, but the report’s findings suggest their worries are misplaced.
For example, the amount of unplanned work carried out by high performing DevOps teams – who release code changes multiple times a day – is far lower than groups who do so less frequently.
“High performers reported spending 49% of their time on new work and 21% on unplanned work or rework. By contrast, low performers spend 38% of their time on new work and 27% on unplanned or rework,” the report stated.
“High performers spend 29% more time on new work than low performers, and 22% less time on unplanned work and rework. Furthermore, continuous delivery predicts lower levels of unplanned and rework in a statistically significant way.”
Automated security testing
While the report’s findings suggest high-performing DevOps teams create higher quality code overall, too many fall into the trap of neglecting to security test their output until they reach the end of the deployment process.
Any errors that get picked up at that late stage can be costly to rectify and wholly avoided, the report added, if teams built testing in each stage of the software development cycle.
“Instead of testing for security concerns at the end of the process, we believe we can achieve better outcomes by making security a part of everyone’s daily work,” the report continued.
“That means integrating security testing and controls into the daily work of development, quality assurance and operations.”
Including additional security checks does not necessarily need to increase the individual workloads of those in the team, as it should be fairly straightforward to automate this task, the report stated.
“By automating these activities, we can generate evidence on demand to demonstrate that our controls are operating effectively, whether to auditors, assessors or anyone else working in our value stream,” it added.
Read more about DevOps
- Enterprises risk missing out on the business agility benefits that adopting DevOps can bring because of misplaced concerns about the level of risk to operations.
- The topic of DevOps has dominated discussions at many of the major IT conferences this year, with suppliers and analysts lining up to warn enterprises about the business risks of failing to adopt a more agile approach to software development.