Nataliya Yakovleva - Fotolia

DevOps security remains an afterthought

The promise of DevOps breaking down organisational silos has not yet materialised for security

While enterprises are adopting DevOps to speed up software development and improve application security, barriers between development and security teams still exist, a study by HPE has found.

The chasm is so deep that, in some cases, developers do not know their security teams. In fact, some 90% of security professionals claim that ensuring application security has become more difficult since their organisations deployed DevOps.

The HPE study is based on analysis from security teams, industry leaders, enterprises and developers to deliver key insights on the gaps and barriers between the promise and reality of secure DevOps.

Much of the disconnect may be attributed to the lack of security awareness, emphasis and training for developers. Out of more than 100 job postings for software developers at Fortune 1000 companies, none specified security or secure coding experience and knowledge as part of the skills required, according to the HPE study.

The lack of application security talent is another contributing factor. For every 80 developers in the organisations surveyed, there is only one application security professional. The lack of security personnel, along with the increasingly rapid development cycle, makes secure development extremely difficult, the report noted.

APAC enterprises reactive to DevOps security

Sherrel Roche, senior market analyst for services research at IDC Asia-Pacific, noted that while enterprises are aware that they are prone to data breaches and online attacks, security is still not an integral part of DevOps.

Indeed, going by a June 2016 IDC global DevOps study, only 40% of the organisations said security was part of their DevOps practice or project planning cycle. Additionally, 41% said they worked with the security team only on ad hoc basis.

According to Roche, organisations in the Asia-Pacific region continue to be reactive to DevOps security, and will work with security teams only during audit requests or when a security breach occurs. This poses challenges for security teams whose mandate is to release and maintain secure applications.

Read more about DevOps

  • Implementing DevOps in AWS is serious work, but it might not be the daunting task it seems.
  • Is it time to scale a successful DevOps effort? To achieve this, expert Kaimar Karu advises putting the customer first.
  • Adopting DevOps doesn’t simply mean taking up a few practices. It also requires embracing the attitude, culture and philosophy. Learn seven pointers for your journey.
  • In this guide to working with agile and DevOps methods, experts explain various techniques.

“DevOps teams need to partner with security teams to assess and release software thoroughly at a continuous and rapid pace. It is crucial that executives encourage DevOps teams to work with security, audit and compliance teams to ensure DevOps practices deliver value and reliability,” said Roche.

“Security needs to be integrated into the application development process from the beginning, making it a fundamental part of the DevOps process,” she added.

Pushkaraksh Shanbha, senior research manager at IDC’s Asia-Pacific services and cloud research group, concurred with HPE’s findings.

He said very few enterprises have integrated security into their DevOps practices because of legacy software development processes, and a view of security that has not evolved from an over-emphasis on perimeter security to application and data-centric security.

Richard Gerdis, vice-president of DevOps, Asia-Pacific and Japan, at CA Technologies, noted that security is likely to continue being an important trend in DevOps this year, given the growing intensity and sophistication of cyber threats.

“In addition to speed and quality, good code also needs to protect users against cyber malice, and organisations from negative publicity and reputational damage,” he added.

Read more on Information technology (IT) in ASEAN