DevOps and security need to become better friends

The road to hell is paved with good intentions, and while nearly all respondents in a recent HP Enterprise survey agree that DevOps culture could strengthen security, there’s still a long way to go.

The Application Security and DevOps Report 2016 just released by the HPE Security Fortify team closely examines the challenges many organizations face in integrating security across DevOps, and found that 99 per cent of all respondents agreed that adopting a DevOps culture presents an opportunity to improve application security. However, only 20 per cent are in fact doing application security testing during development as most organizations are relying on the technologies downstream, such as pre-production penetration testing and network security.

Further highlighting the disconnect between the perception and reality of secure DevOps is that 17 per cent weren’t using any technologies to protect their applications.

DevOps is a process that gets developers, IT professionals and business users working as a team to build, test and release software.

Scott Johnson, Fortify’s director of product management, said there’s another disconnect at play, according to the survey, and it’s between developers and security teams. Some survey respondents admitted to not even knowing their security teams. As a result, 90 per cent of security professionals stated that integrating application security has become more difficult since deploying DevOps.

Not only do many developers not know their security teams, but there’s also a lack security awareness, emphasis, and training for developers, the study found, combined with a shortage of application security talent: for every 80 developers in the organization, there is only one application security professional. The HPE research also found that only 15 per cent of chief security officers have a background in development.

Johnson said HPE conducted the survey to validate the need for tools to better tie DevOps and security together, and to better understand where customers were with regards to DevOps, and the research shows customers fill a wide spectrum of maturity. “Some are fully embracing DevOps and its tools. Others are just starting.”

In general, spending is going up in the application security segment, but Johnson said the fact that 17 per cent of aren’t using technologies to protect applications is disconcerting, given the prevalence of cyber attacks and how often vulnerabilities are at the code level. “The vulnerability in the code is the point of execution.” While the network and the device are the transport bad actors, he said, it’s less likely to matter if the code can’t be exploited.

Johnson said eliminating more vulnerabilities when the code is being written has the potential for a much better outcomes rather than reacting with patches, especially as the pressure to release more applications more quickly to stay competitive, meet market demand and customer feature requests increases. Layer security on top instead of building it in a becomes problematic, he said; it needs to be part of the workflow.

“Developers are not necessarily trained for security,” said Johnson. “They write code as fast and clean as possible. Security is not part of process.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Gary Hilson
Gary Hilson
Gary Hilson is a Toronto-based freelance writer who has written thousands of words for print and pixel in publications across North America. His areas of interest and expertise include software, enterprise and networking technology, memory systems, green energy, sustainable transportation, and research and education. His articles have been published by EE Times, SolarEnergy.Net, Network Computing, InformationWeek, Computing Canada, Computer Dealer News, Toronto Business Times and the Ottawa Citizen, among others.

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now