DevOps approaches have become a fixture in most businesses, but integration with security operations is lagging behind.
New research commissioned by global technology services provider Claranet has found that 88 per cent of UK businesses have either adopted a DevOps approach or plan to adopt one in the next couple of years. Despite this, fewer than one in five (19 per cent) are fully confident in their ability to integrate security into this philosophy – also known as DevSecOps. This underlines the potential data security risks that businesses are creating for themselves – especially given how DevOps tends to outpace traditional security controls – and the work that needs to be done within IT departments to embed and automate security best practices into the entire DevOps lifecycle.
The research, conducted by market research firm Vanson Bourne, included 300 respondents from businesses in both the UK and USA. It found that just under half (47 per cent) of UK organisations have adopted a DevOps approach, with an additional 41 per cent planning to make this a reality in the next couple of years, indicating that DevOps is becoming a de facto way of working for many IT departments.
However, when considered alongside the fact that a fifth of organisations doubt their capability to deliver DevSecOps, it becomes clear that there is a significant disconnect between DevOps capabilities and DevSecOps readiness. This lack of full emphasis on security as part of the DevOps process could lead to data security issues further down the line.
Commenting on the findings, Sumit (Sid) Siddarth, Director at NotSoSecure (a Claranet Group company) said:
Embracing DevOps is clearly at the forefront of the minds of the majority of IT leaders across the UK, which provides some cause for encouragement. But the overall lack of integration of security best practices into this process shows that, for many businesses, security is still being considered as something that is administered separately to the development lifecycle, rather than incorporated into it from end to end.”
Given the frequent development cycles that are an inherent characteristic of DevOps, seeing security as a separate entity can slow processes down and reduce efficiency, which either compromises the agility which is so central to any DevOps philosophy, or leads to windows where vulnerabilities can be released and won’t be spotted until the next security testing cycle.”
To remedy this issue and help the IT department to effectively transition to a DevSecOps approach, Siddarth believes that training of staff throughout the IT department is essential, as is the adoption of new approaches to security testing and continuous monitoring and analytics throughout the DevOps lifecycle, whether this be in planning, coding, pre-production or decommissioning. To do this, businesses should be willing to enlist the expertise of third parties who are well-versed in meeting the DevSecOps challenge.
While the benefits of DevSecOps are clear, actually making it a reality is a complex process that can’t be completed overnight. Working out how to implement and automate application security – such as continuous monitoring and static analysis – within existing CI/CD pipelines takes time and effort, so it’s important that organisations receive in-depth guidance in how to make this happen. Furthermore, newer approaches to security testing, such as continuous security testing, need to be used to ensure any testing approach is keeping up with the rate of change DevOps approaches allow for.”
This guidance should be tailored to everyone involved in the DevSecOps process. Development teams need to be trained in order to heighten their security awareness and figure out how they can work with their security-focused colleagues, and security personnel will benefit from learning how their role fits within the wider DevOps ecosystem. If these formerly disparate components can be brought together, an effective DevSecOps philosophy will follow as a matter of course.”