Organizations are embracing the DevOps approach to software development, with fervor, but they’re overlooking security in the process.
That’s according to a new report (pdf) by Hewlett Packard Enterprise Co. that was released in the wake of last week’s massive distributed denial-of-service attack on the domain name server hosting provider Dynamic Network Services Inc. HPE concludes that organizations are missing a major opportunity to enhance security at the application level by failing to break down silos that inhibit cooperation between development and security teams.
The report, which includes both a quantitative survey and interviews with IT operations, security and development professionals, found that an overwhelming 99 percent of respondents agree that DevOps has the opportunity to improve application security. However, only 20 percent are doing application security testing during development, and one in six doesn’t use any technologies to protect applications, focusing instead on now largely discredited perimeter controls. HPE didn’t reveal how many respondents it had to its quantitative research.
DevOps is a new form of rapid application development that stresses close co-operation between development and application owners, frequent releases and high levels of automation. Typically, developers control both the code and the environment in which it will run, a technique that improves efficiency and test quality.
Researchers found that DevOps is spreading rapidly throughout organizations in line with Gartner Inc.’s recent forecast that half of enterprises will be using the methodology in some form by the end of this year. Forrester Research Inc. has reported that DevOps is transformational, with organizations going from an average of four application releases per year in 2010 to 120 releases per year by 2020.
In theory, DevOps enables organizations to potentially find and fix vulnerabilities more frequently and earlier in the application lifecycle, thereby saving cost and time. However, most organizations treat security as a separate and distinct function and set of skills, in effect making security someone else’s problem.
That’s making it harder for security professionals to do their work. Nine in 10 of them told HPE that the task of integrating security into applications has become more difficult since their organizations deployed DevOps. In most organizations, security continues to be handled the same way it has for years.
Same old, same old
“When asked how organizations adopting DevOps are currently protecting applications, the overwhelming majority cited security practices or controls downstream of the software development lifecycle (SDLC), with only 20 percent stating that secure SDLC testing is done throughout development,” the report says. “Overwhelming sentiment emerged that DevOps in itself has had little to no impact on application security adoption or effectiveness.”
Another impediment is that developers aren’t trained in or rewarded for good security practices. HPE researchers scanned more than 100 job postings for software developers at Fortune 1000 companies and reported that none specified security or secure coding experience or skills. Furthermore, none of the top 10 college-level computer science programs requires a security class to graduate.
Workloads are also piling up. Surveyed organizations reported employing an average of 900 developers, compared with just 11 security professionals. “This ratio, in combination with the increasing velocity of development, is leaving application security professionals unable to keep up,” HPE said.
The report recommends that security become a shared responsibility across the organization and that more tools should be deployed to automate security practices at the coding stage.