Security, not speed, is shaping up to be the top issue for DevOps teams in 2017, a new survey suggests.
According to the 2017 State of the Application Delivery Report by F5 Networks Inc., security is the number one priority among 2,000 IT, networking, application and security professionals surveyed worldwide.
“Security teams are expanding beyond traditional firewalls and the legacy enterprise perimeter as a response to hackers increasingly targeting the application,” the report states.
Those same security concerns were echoed by senior Canadian IT managers at two CIO roundtables held recently in Toronto and Vancouver. The events were hosted by IT World Canada and sponsored by Hewlett Packard Enterprise (HPE).
“The last piece, for me, is the data and the applications. That’s the last mile we have to protect because your network has extended so far with wireless and third parties. So you don’t really know who’s touching your network,” said Serge Bertini, vice-president and general manager of Canada for HPE.
Among those surveyed globally by F5, the top three security measures planned for 2017 are DNSSEC protection (cited by 25 per cent), DDoS mitigation (21 per cent) and web application firewall services or WAF (20 per cent).
While most DevOps teams have security top-of-mind, in reality, many aren’t executing their security plans very well, Bertini told the Toronto roundtable.
Although DevOps aims to speed up software development through automation and collaboration between IT and business units during the entire process, Bertini said “security in DevOps is an afterthought. Few people are starting to build this sort of (security) ‘check in, check out’ of code as part of their development lifecycle.”
HPE’s own survey data appear to back that up. In its Application Security and DevOps Report released last fall, the HPE Security Fortify team found only 20 per cent of DevOps teams are performing application security testing during development and 17 per cent aren’t using any security technologies at all to protect their applications.
Bertini said too many DevOps teams only consider security once a new application is finished, a decision that carries a high price for companies and their customers if security snags are spotted late in the process.
“It’s costly to wait until the end when my application is done to check it. If I have to delay my release by four to six weeks, that’s very costly,” Bertini said.
“We know this ‘inspect at the end’ approach doesn’t work. We just have to fix it,” said roundtable moderator Jim Love, CIO of IT World Canada.
Yet even organizations that consider security from the get-go can run into stumbling blocks with DevOps, as one Toronto guest explained.
“We try hard to build in security upfront but there are always concerns about keeping on top of changes that happen after that. You may have a great (application) design but there’s a lot of stuff going on in the middle of the development process,” said the guest, an IT manager for a utility services firm.
If DevOps is all about continuous collaboration throughout the development cycle, why is there such a disconnect between developers and security pros? In the experience of one Vancouver guest, outsourcing parts of the development chain to third-party providers makes security more complicated.
“We’re not impressed with the weaknesses in cloud providers and how the cloud infrastructure providers manage their infrastructure,” said the guest, infosec director at a telecom services company.
A Toronto participant from a large consulting firm noted that when his teams lack the core competencies to develop an application in-house, outsourcing the work to India or other overseas markets adds another layer of security challenges.
A guest from the financial payments sector, however, said Canadian DevOps teams should look inward to improve their own internal communication skills first.
“DevOps with 10 different departments doing 10 different things, it’s hard,” he said.
Ensuring that members of DevOps teams have complementary skill sets would ease that situation, according to a guest from the consulting sector. He said infosec people should get “soft skills” training to communicate with business units using terms they can understand. A fellow participant suggested infosec pros should be able to read and write code so they can literally speak the same language as developers while checking new applications.
As Bertini summarized, “it seems like there’s the security team and the applications team and we’ve got to blur those lines.”