The road to hell is paved with good intentions, and while nearly all respondents in a recent HP Enterprise survey agree that DevOps culture could strengthen security, there’s still a long way to go.
The Application Security and DevOps Report 2016 just released by the HPE Security Fortify team closely examines the challenges many organizations face in integrating security across DevOps, and found that 99 per cent of all respondents agreed that adopting a DevOps culture presents an opportunity to improve application security. However, only 20 per cent are in fact doing application security testing during development as most organizations are relying on the technologies downstream, such as pre-production penetration testing and network security.
Further highlighting the disconnect between the perception and reality of secure DevOps is that 17 per cent weren’t using any technologies to protect their applications.
DevOps is a process that gets developers, IT professionals and business users working as a team to build, test and release software.
Scott Johnson, Fortify’s director of product management, said there’s another disconnect at play, according to the survey, and it’s between developers and security teams. Some survey respondents admitted to not even knowing their security teams. As a result, 90 per cent of security professionals stated that integrating application security has become more difficult since deploying DevOps.
Not only do many developers not know their security teams, but there’s also a lack security awareness, emphasis, and training for developers, the study found, combined with a shortage of application security talent: for every 80 developers in the organization, there is only one application security professional. The HPE research also found that only 15 per cent of chief security officers have a background in development.
Johnson said HPE conducted the survey to validate the need for tools to better tie DevOps and security together, and to better understand where customers were with regards to DevOps, and the research shows customers fill a wide spectrum of maturity. “Some are fully embracing DevOps and its tools. Others are just starting.”
In general, spending is going up in the application security segment, but Johnson said the fact that 17 per cent of aren’t using technologies to protect applications is disconcerting, given the prevalence of cyber attacks and how often vulnerabilities are at the code level. “The vulnerability in the code is the point of execution.” While the network and the device are the transport bad actors, he said, it’s less likely to matter if the code can’t be exploited.
Johnson said eliminating more vulnerabilities when the code is being written has the potential for a much better outcomes rather than reacting with patches, especially as the pressure to release more applications more quickly to stay competitive, meet market demand and customer feature requests increases. Layer security on top instead of building it in a becomes problematic, he said; it needs to be part of the workflow.
“Developers are not necessarily trained for security,” said Johnson. “They write code as fast and clean as possible. Security is not part of process.”