Survey results | Integrating Security Into DevOps Isn’t Easy, But Doable
By George Hulme for SDxE
There’s a new (yes, yet another) study out on how challenging it is to incorporate security into DevOps. The latest is from digital certificate provider DigiCert, titled Inviting Security into DevOps Survey. While some assumptions of the study strike me as being detached from the typical viewpoint of large enterprises, the results are worth a look.
First, let’s be clear: Enterprises — and all organizations that use DevOps — are continually looking for ways to better embed security, especially application and cloud security, into DevOps patterns. But that’s not new. There isn’t any particular “tipping point” happening now. Concerns about security, and how security would look and function within DevOps, have been a broad part of the discussion since Day 1.
The good news is that it seems to be happening. According to the survey, 98 percent of enterprises are integrating, or trying to integrate, their security teams into their existing DevOps processes.
"Going faster introduces security risks, while maximizing security often slows things down," Dan Timpson, chief technology officer at DigiCert said in a statement. "The market is at a tipping point, and enterprises are looking for solutions to minimize the time that it takes to integrate and to help security better fit within DevOps workflows."
The survey covered 300 senior DevOps and security executives. Almost half, 49 percent, say that they are in the process of integrating security into DevOps, and 49 percent say those efforts are “completed.”
I’m curious to see their definition of “complete.” As in good hygiene, good health practices or becoming increasingly proficient in a skill, there is never a “done” until death or retirement.
Good habits in security and DevOps are an ongoing project.
Still, not surprisingly, those who believe that they have successfully integrated security into DevOps report improvements in both security and agility:
- 22 percent are more likely to report they are doing well with information security;
- 21 percent are more likely to report doing well meeting app delivery deadlines; and
- 21 percent are more likely to report doing well at lowering app risk.
Most agree that having security as an agile aspect of DevOps is either somewhat to extremely important. What’s more interesting is that not doing so will be expensive, say respondents, via increased costs (78 percent), slower app delivery (73 percent) and increased security risks (71 percent).
So why isn’t everyone on board?
The challenges respondents expected to encounter include many of the usual suspects, including angst around the organizational structure, no security “champion” and an infosec team that doesn’t play well with others.
Interestingly, after the transition, the actual challenges turned out to be that secure DevOps takes too much time, resistance to change from the security team itself, and a lack of relationship skills required to bring the two teams together.
Look, cultural changes always take more time than organizations anticipate. We saw this when large development teams and enterprises tried to incorporate security into waterfall processes decades ago. Too often, even in those days, security was “bolted on” at the end of development. Rather than have infosec teams threat model or evaluate a new application during the design stage, all of the security tests and considerations took place at the end of the development cycle. The results were predictable: Application delays due to security issues galore. It took many of these organizations years, if they even tried, to properly integrate application security experts and processes into their workflow.
The transition to DevOps, or DevSecOps, is no different. It takes executive leadership to push the initiatives forward and force stakeholders to the discussion table if need be (it usually is), and it took good processes and automating what could be automated. What’s different today is the collaborative nature in DevOps organizations and the speed at which updates move down the continuous delivery pipeline. In some ways, the modern software development processes of continuous delivery make automated security testing easier. And the fact that software updates are smaller can make many security tests easier to focus on, and the potential errors much smaller.
But the challenges getting there, as this survey shows, can be steep.
We will be rolling out the red carpet for 5 dedicated devops speaker sessions and an exclusive devops zone on the expo floor at this year's SDxE.