Nataliya Yakovleva - Fotolia
Developers lack skills needed for secure DevOps, survey shows
The growing demand for developers with security skills is outpacing supply, but a survey reveals that a lack of formal security education and training by employers is contributing to the growing skills gap
Just over three-quarters of developers say security and secure development education needed for today’s world of coding is missing from formal curriculums, a global survey has revealed.
The research shows that software developers are not receiving the training they need to be successful, as DevOps becomes the prevalent approach to building and operating digital products and services.
In today’s application-centric economy, commentators say that gap could have a real impact on the productivity of businesses in every industry, as well as on the security and quality of the software that underpins the digital economy.
Having knowledge of DevOps when entering IT is very important, according to 65% of 400 DevOps professionals polled in the 2017 DevSecOps Global Skills Survey, sponsored by application security firm Veracode and DevOps.com, a site dedicated to DevOps education and community building.
However, 70% said they are not receiving the necessary training through formal education, making it difficult to be successful in today’s DevSecOps world.
DevSecOps refers to the practice of integrating security into the development and testing of software for faster, better quality outcomes by testing early and often.
The on-demand nature of today’s digital economy has driven the need to focus on innovation and improve the overall workflow of the modern enterprise.
Read more about DevSecOps
- Putting the “Secs” into DevOps.
- Aim for win-win in DevSecOps.
- Wait a sec! It’s time to talk about DevSecOps.
- DevSecOps makes for a more efficient, secure deployment pipeline.
But implementing DevSecOps processes in software development and deployment as a means of fuelling this effort, has highlighted the fact that today’s formal education for IT and development professionals has not evolved in the same way, or as quickly, as development has shifted, the survey found.
Those surveyed said their IT workforce is only “somewhat prepared” (55%) or not prepared (nearly 30%) with the skills necessary to securely deliver software at the speed of DevOps.
Nearly 40% of hiring managers surveyed reported that it is most difficult to find employees that are the all-purpose DevOps specialists with sufficient knowledge about security testing.
This poses a significant challenge, the survey report said, because more than 50% of organisations said that either the entire organisation or some of their teams are currently following DevOps practices.
Although nearly 80% of respondents have a bachelor or master’s degree, with 50% reporting that they studied and earned degrees in computer science, the survey found there is still a lack of cyber security knowledge prior to entering the workforce.
Inadequate security education
The survey found that 70% of respondents said the security education they received was not adequate for what their current positions require, while 65% said they are learning their most relevant professional skills on the job.
“With major industry breaches further highlighting the need to integrate security into the DevOps process, organisations need to ensure that adequate security training is embedded in their DNA,” said Alan Shimel, editor in chief, DevOps.com. “As formal education isn’t keeping up with the need for security, organisations need to fill the gap with increased support for education.”
According to the survey, slightly under half of respondents said their employers paid for additional training since their entry into the workforce, and nearly seven in 10 developers report that their organisations provide them with inadequate security training.
Third-party training, either in the classroom or through e-learning, was identified by one in three surveyed as the most effective way to gain new, relevant skills – but the study confirmed that very few – only 4% - are afforded the opportunity.
“WannaCry and [Not]Petya are just two recent examples of large-scale cyber attacks that further demonstrate the importance of security in today’s exceedingly digital world. Despite this apparent need, security practices and secure software development isn’t required to earn a degree in IT or computer science,” said Maria Loughlin, vice-president of engineering at Veracode.
Secure development and deployment
Veracode, acquired by CA Technologies in April 2017, enables the secure development and deployment of the software that underpins the application economy. According to the company, the Veracode Platform has assessed more than two trillion lines of code and helped companies fix more than 27 million security flaws.
“Our research with DevOps.com highlights the fact there are no clear shortcuts to address the skills gap. Higher education and enterprises need to have a more mature expectation around what colleges should teach and where organisations need to supplement education, given the ever-changing nature of programming languages and frameworks. The industry will have to come together to ensure the safety of the application economy.”