The DevOps culture and practice has been sweeping rapidly through the technical community.
Combining “Development” and “Operations” roles with automation and monitoring leads to numerous benefits, including faster time to market, fewer failures caused by changes, and shorter downtimes when problems do occur—it’s no wonder DevOps is being widely embraced.
However, security was largely an afterthought in the days of early DevOps adopters, and many organizations are still trying to play catch up when it comes to secure development and deployment automation.
The DevSecOps movement strives to incorporate continuous security into every stage of your DevOps workflow.
Though most organizations would like to implement DevSecOps, many are still trying to bridge the gap between intent and reality when it comes to marrying security with their DevOps program.
Struggling to put the “Sec” in DevOps
A recent survey by Threat Stack gives us insight into some of the obstacles facing those who are still struggling to employ a DevSecOps philosophy.
Threat Stack conducted a survey of 200 security, development and operations professionals from businesses large and small in multiple industry verticals. The results show that while everyone agrees security must be integrated into every phase of the development cycle, there are still obstacles keeping many from reaching their goals.
Tellingly, 85 percent of organizations surveyed said that employing DevSecOps best practices was an important goal, but only 35 percent actually had established the philosophy. At the same time, 18 percent had no DevSecOps at all.
Silos are one large contributing factor to this gap. Amongst respondents, security specialists are present in only 27 percent of operations teams and a lowly 18 percent of development teams.
In 38 percent of cases, security specialists are in a completely separate team only used “when needed.” To compound the problem, 42 percent of operations teams and 44 percent of developers have not had appropriate security training in secure configurations and secure coding.
The lack of integrated specialists or even general security training is a major obstacle to fostering a healthy DevSecOps environment.
Another obstacle is the need for organizational buy-in from the top down. Sixty-eight percent of companies stated that their CEOs require security and DevOps teams not slow the business down, and 52 percent of companies have admitted to cutting back on security in order to meet a business objective or deadline.
Not to pick on the C-Suite, more than half of DevOps teams themselves push back against security best practices.
Getting everyone on the same page regarding your current security posture is an important step on the road to improvement. Threat Stack notes a difference in perception where DevOps professionals rate their organization’s security capabilities higher than security professionals.
It is important to “know what you don’t know,” and auditing assets and infrastructure for best practice configurations can give concrete information on security posture, especially when it comes to new paradigms such as cloud configurations.
Though there are many advantages that come with DevOps, securing your entire process from development to production and fostering a DevSecOps culture in your organization requires dedication to overcoming obstacles. Combatting the cybersecurity skills shortage with training and integration along with buy-in from executives to engineers are the first steps to achieving your DevSecOps goals.
If you’re already using DevOps tools, I hope this gave you some ideas of how Tripwire can work with your tools and process.