While the number of enterprises subscribing to cloud applications is increasing that doesn’t mean internal application development has gone away. Sometimes customization may be needed for a cloud application to meet business needs, and sometimes a custom application may have to be written.
Either way security is an essential element of any internal development. And while IT departments are increasingly adopting the collaborative software development and delivery process called DevOps, making sure the security team is integrated and not an afterthought is vital.
That’s reinforced by a survey of 300 U.S. IT pros and managers released Wednesday DigiCert, maker of identity and encryption solutions for enterprises: Eighty-eight per cent of respondents said integrating security with DevOPs is either somewhat or extremely important. The top two reasons they cited as driving this were to speed application development as well as security.
Just under half (49 percent) of the enterprises questioned had already integrated security into their DevOps teams, with an equal number actively working on completing that integration.
They admitted is wasn’t easy. “The top three challenges cited were that it takes too long, security teams resist the change and that it requires strong relationship skills to perform the integration,” says the report.
Interestingly, those who haven’t completed the move estimate the integration will take less than a year (seven to 11 months). But those who have completed the transition say it took an average of 1 to 2 years. Clearly some organizations are underestimating the effort.
Yet those who have done the integration say it’s worth it. Of those surveyed
- 22 percent were more likely to report they are doing well with information security
- 21 percent were more likely to report doing well meeting app delivery deadlines
- 21 percent were more likely to report doing well lower app risk.
“Agility and security are not mutually exclusive, and integration requires a combination of technology improvements, and a cultural shift in how technical staff is aligned,” DigiCert CSO Jason Sabin said in a statement. “The DevOps methodology is not just a method for increasing speed, but about improving efficiency, quality control and predictability in development outcomes. The right integration of security staff and technology, including digital certificates, can improve organizational metrics, avoid costly delays and improve the end-user experience.”
The report makes four recommendations to CIOs looking to integrate security into DevOps teams to help balance development agility and information security:
- Appoint a social leader: Identify a champion to drive cultural change including defining IT, security, DevOps roles and integrating teams;
- Bring security to the table: Place a security lead on all DevOps initiatives and involve them from the beginning. Limit access, sign and encrypt everything within the network using automated PKI.
- Invest in automation: Automate baseline security practices within DevOps workflow, including: certificate management, patching, vulnerability scanning, static code analysis;
- Integrate and standardize: Implement controls on certificate management processes and integrate with server configuration and orchestration platforms to enable automated security behind the scenes.