Application security still a core issue in DevOps
In spite of the opportunities to improve security, very few real-life DevOps programs have actually done so, often due to the dual pressures of speed and innovation. We look at the facts, figures and potential benefits to your business…
In spite of the opportunities to improve security, very few DevOps programs have included it, allocating higher priority to speed and innovation, claims a new study by HPE.
As overall security awareness has risen in the IT industry, the issue of how to integrate security into DevOps has been a regular discussion topic.
When asked how organizations adopting DevOps are currently protecting applications, the overwhelming majority cited security practices or controls downstream of the SDLC, with only 20 per cent stating that secure SDLC testing is done throughout development. Most organizations are relying on the technologies downstream, such as pre-production penetration testing and network security. A shocking 17 per cent stated that they are not using any technologies to protect their applications.
The results make disappointing reading given the promise of DevOps, which the survey itself highlights - 99 percent of all respondents agreed that adopting a DevOps culture has the opportunity to improve application security.
Ilia Kolochenko, CEO High-Tech Bridge said: “Implementation of DevSecOps is not an easy task, and also involves quite important costs. Taking into consideration that global economy is continuously slowing down, it’s not surprising that companies hesitate to spend on “perfect security”. Moreover, DevSecOps is very difficult to implement when teams of developers, admins and infosec are located on different continents. Last, but not least, DevSecOps implementation in SMEs will probably not make sense, as it will cost more money that it can save in the future.”
At first glance this is a serious and widespread issue, given the wind direction and hype behind DevOps adoption. Recent Gartner research claims that 38 percent of enterprises are now using DevOps and predicts that 50 percent will be actively using it by the end of 2016. A report from RightScale claims that nearly three-quarters of businesses planned to adopt a DevOps style of software development in 2016, up from two-thirds of companies in 2015.
However, the HPE Security Fortify researchers found that the picture is slightly less black-and-white, with large numbers of the organisations surveyed (90 per cent) have at least 5 per cent of their development teams practicing DevOps, typically with small pilot programs in progress. In other words, while the headline adoption figures might stack up on one level, the number of advanced and mature DevOps programs is low.
This lack of maturity might go some way to explain the fact that the main barrier to creating more secure applications within DevOps is organizational, according to the research. Companies that already had a focus on security continued that focus, but firms who had not made security a priority saw less benefit. Security can often feel disconnected from both development and operations, and in some cases, respondents admitted to not even knowing their security teams. “Reporting lines within organizations do not help break down organizational silos and most development, operations, and security groups have completely separate reporting structures. These dynamics can lead to a divide between security organizations and development with differing metrics and misaligned priorities”, said the report.
Perhaps unsurprisingly, a major pressure on developers in a DevOps environment is to get features out to market as fast as possible. This business requirement is forcing development to prioritize features, functionality, and performance and eliminate anything that is considered to slow down the development process, the report continued: “Most developers today do care about security and many are starting to learn and incorporate security practices in their work, but they are still primarily measured and motivated to focus on timely delivery, features, and quality. They usually agree that there is an overall lack of security training and pressure to release quickly compromises their ability to place more emphasis on software vulnerabilities until it is too late in the process.”
An interesting couple of points from the report is around the wider factors for a lack of security focus - apparently of the top 10 US Bachelor’s Computer Science programs, none require a security class to graduate, and the lack of requirement by companies for security skills. Of more than 100 job postings for software developers at Fortune 1000 companies, none specified security, secure coding experience, or knowledge as part of skills required.
HPE makes the following best practices for secure application deployment - make security a shared responsibility across the organisation, integrate security tools into the development ecosystem to allow developers to find and fix vulnerabilities in real-time, and leverage enterprise-grade application security automation with analytics built in to automate the application security testing audit process in order to avoid common application weaknesses like these...