Nataliya Yakovleva - Fotolia

DevOps largely failing to improve security, study shows

Despite the promise of improved application security, DevOps is failing to deliver due to some key barriers, an HPE study shows

Many organisations that are combining application development and systems operations teams are failing to improve security with this DevOps approach, a study has revealed.

This is despite the promise of more secure software development by enabling organisations to find and remediate vulnerabilities more frequently and earlier in the application lifecycle.

Research indicates a gap between perception and reality for secure DevOps and underlines the importance of aligning security and DevOps, according to the Application Security and DevOps Report 2016 published by Hewlett Packard Enterprise (HPE).  

The report uses data and analysis from HPE Security teams, industry leaders, enterprises and developers to highlight the gaps and barriers between the promise and reality of secure DevOps. It also examines the challenges many organisations face in integrating security across DevOps, and provides recommendations to strengthen these initiatives.

According to the report, 99% of respondents agree that adopting a DevOps culture has the opportunity to improve application security.

However, only 20% doing application security testing during development, and 17% are not using any technologies to protect their applications. This highlights a significant disconnect between the perception and reality of secure DevOps, the report said.

“Our research shows that security leaders and developers believe that the DevOps movement has the potential to significantly improve application security, but organisations are struggling to realize that potential so far,” said Jason Schmitt, vice-president and general manager of the Fortify business in HPE Security.

“By understanding the current state of DevOps and best practices for integrating security into the development culture, organizations can successfully secure software in this new DevOps world without impeding the speed and agility that it brings,” he said.  

Remove barriers

The report identifies key barriers and gaps preventing organisations from integrating security and DevOps successfully, such as organisational barriers between security professionals and developers.

The report shows a significant disconnect between developers and security teams, and in some cases, respondents admitted to not even knowing their security teams. This led to 90% of security professionals stating that integrating application security has become more difficult since their organisations deployed DevOps.

The report also looked at the lack of security awareness, emphasis and training for developers. Out of more than 100 job postings for software developers at Fortune 1000 companies, none specified security or secure coding experience and knowledge as part of the skills required.

A shortage of application security talent was also identified as an issue by the report. For every 80 developers in the organisations surveyed, there is only one application security professional. The lack of security personnel, the report said, along with the increasingly rapid development cycle, make secure development extremely difficult.

“Adopting a DevOps process can help make applications more secure, since the development and production environment are built the same way and to the same security standards and testing,” said John Meakin, group information security officer at Burberry.

“However, it requires a commitment across the organisation to prioritise security, and incorporate more automated testing to make it easier to gather real-time feedback and remediate vulnerabilities throughout the development process,” he said.  

Integrate security with DevOps

As organisations to adopt DevOps culture, the report recommends measures to remove barriers for secure application development and to integrate security with DevOps.

The report recommends that security should be a shared responsibility across the organisation to eliminate barriers. It must be embedded throughout every stage of the development process, the report said, with executive support and metrics to hold teams accountable for secure development. These metrics should focus on mean-time-to-triage and mean-time-to-fix.

Companies should strive to bridge awareness, emphasis and training gaps by making it seamless and more intuitive for developers to practice secure development.

Organisations should integrate security tools into the development ecosystem, the report said, to allow developers to find and fix vulnerabilities in real-time as they write code. This makes it easy and efficient to develop securely, and educates the developer on secure coding in the process, the report said.

The report also said companies should use automation and analytics as application security force multipliers.

Organisations should use enterprise-grade application security automation with analytics built in to automate the application security testing audit process and allow their application security professionals to focus only on the highest priority risks.

This reduces the number of security issues that require manual review, the report said, saving both time and resources, while lowering overall risk exposure.

Read more about DevOps

Read more on Application security and coding requirements