Why security is the top issue for DevOps teams in 2017

Security, not speed, is shaping up to be the top issue for DevOps teams in 2017, a new survey suggests.

According to the 2017 State of the Application Delivery Report by F5 Networks Inc., security is the number one priority among 2,000 IT, networking, application and security professionals surveyed worldwide.

“Security teams are expanding beyond traditional firewalls and the legacy enterprise perimeter as a response to hackers increasingly targeting the application,” the report states.

Those same security concerns were echoed by senior Canadian IT managers at two CIO roundtables held recently in Toronto and Vancouver. The events were hosted by IT World Canada and sponsored by Hewlett Packard Enterprise (HPE).

“The last piece, for me, is the data and the applications. That’s the last mile we have to protect because your network has extended so far with wireless and third parties. So you don’t really know who’s touching your network,” said Serge Bertini, vice-president and general manager of Canada for HPE.

Serge Bertini, general manager of HPE Canada, says the application layer is ‘the last mile’ requiring protection.

Among those surveyed globally by F5, the top three security measures planned for 2017 are DNSSEC protection (cited by 25 per cent), DDoS mitigation (21 per cent) and web application firewall services or WAF (20 per cent).

While most DevOps teams have security top-of-mind, in reality, many aren’t executing their security plans very well, Bertini told the Toronto roundtable.

Although DevOps aims to speed up software development through automation and collaboration between IT and business units during the entire process, Bertini said “security in DevOps is an afterthought. Few people are starting to build this sort of (security) ‘check in, check out’ of code as part of their development lifecycle.”

HPE’s own survey data appear to back that up. In its Application Security and DevOps Report released last fall, the HPE Security Fortify team found only 20 per cent of DevOps teams are performing application security testing during development and 17 per cent aren’t using any security technologies at all to protect their applications.

Bertini said too many DevOps teams only consider security once a new application is finished, a decision that carries a high price for companies and their customers if security snags are spotted late in the process.

“It’s costly to wait until the end when my application is done to check it. If I have to delay my release by four to six weeks, that’s very costly,” Bertini said.

“We know this ‘inspect at the end’ approach doesn’t work. We just have to fix it,” said roundtable moderator Jim Love, CIO of IT World Canada.

Yet even organizations that consider security from the get-go can run into stumbling blocks with DevOps, as one Toronto guest explained.

ITWC CIO Jim Love says the ‘inspect at the end’ approach doesn’t work.

“We try hard to build in security upfront but there are always concerns about keeping on top of changes that happen after that. You may have a great (application) design but there’s a lot of stuff going on in the middle of the development process,” said the guest, an IT manager for a utility services firm.

If DevOps is all about continuous collaboration throughout the development cycle, why is there such a disconnect between developers and security pros? In the experience of one Vancouver guest, outsourcing parts of the development chain to third-party providers makes security more complicated.

“We’re not impressed with the weaknesses in cloud providers and how the cloud infrastructure providers manage their infrastructure,” said the guest, infosec director at a telecom services company.

A Toronto participant from a large consulting firm noted that when his teams lack the core competencies to develop an application in-house, outsourcing the work to India or other overseas markets adds another layer of security challenges.

A guest from the financial payments sector, however, said Canadian DevOps teams should look inward to improve their own internal communication skills first.

“DevOps with 10 different departments doing 10 different things, it’s hard,” he said.

Ensuring that members of DevOps teams have complementary skill sets would ease that situation, according to a guest from the consulting sector. He said infosec people should get “soft skills” training to communicate with business units using terms they can understand. A fellow participant suggested infosec pros should be able to read and write code so they can literally speak the same language as developers while checking new applications.

As Bertini summarized, “it seems like there’s the security team and the applications team and we’ve got to blur those lines.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Christine Wong
Christine Wong
Christine Wong has been an on-air reporter for a national daily show on Rogers TV and at High Tech TV, a weekly news magazine on CTV's Ottawa affiliate. She was also an associate producer at Report On Business Television (now called BNN) and CBC's The Hour With George Stroumboulopoulos. As an associate producer at Slice TV, she helped launch two national daily talk shows, The Mom Show and Three Takes. Recently, she was a Staff Writer at ITBusiness.ca and is now a freelance contributor.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now