Why DevSecOps is key to future-proofing your software development lifecycle
Mon 20 Apr 2020 | James Orme
Across the board, the bottleneck-reducing philosophy of DevOps has become the central approach for cloud-native enterprise software development and deployment, ushering in a cultural shift in how processes, code and technology are delivered. Those adopting DevOps practices have excelled in becoming more responsive to customer needs and are delivering software at blistering speeds.
Right now the world is reckoning with a pandemic that has a litany of implications across the tech space. One of the most urgent concerns is that opportunistic cyber attackers are exploiting the fast-moving and fluid situation to prey on vulnerabilities in company code and infrastructure. It has never been more important for organisations to maintain a secure infrastructure that combines speed with security.
DevSecOps, an approach which fosters close collaboration between Development, Operations and Security teams, has been steadily gaining traction in recent years. Practically speaking, DevSecOps embeds automated security and compliance testing into the Software Development Lifecycle itself. The goal is to reduce vulnerabilities in code and infrastructure configurations.
There are varying levels of DevSecOps uptake. But those more experienced with the approach have peace of mind of knowing that, when time or resource is strained, speed will never come at the expense of security, and their organisation can navigate crises with confidence.
Chef recently commissioned a survey of security professionals in order to provide greater insight into what security leaders are most concerned with and how collaboration with I&O (Infrastructure & Operations) is needed within enterprise-sized organizations.
The company sought out to determine how important DevSecOps is within the Software Development Life Cycle (SDLC), the importance of Audits within DevSecOps and the overall impact DevSecOps is having on enterprises.
Here is what they found out:
Automation speeds software delivery and improves quality – DevSecOps adopters are 3x as likely as non-adopters to see security as something that speeds software deliver and most organizations (84 percent) agree security improves quality as well.
Audits present an enormous automation opportunity – audits are time-consuming taking 2 months to complete on average and are also considered the top pain point addressed by DevSecOps.
DevSecOps practices are becoming widespread – 78 percent of organizations surveyed have adopted or are planning on adopting DevSecOps practices.
How important is DevSecOps in the SDLC
We found out that Security is part of the broader IT organization (76 percent of respondents confirm) and not part, and is considered a CRITICAL part of the Software Development Lifecycle by a majority of respondents. While Security’s importance is unquestionable, it’s interesting to note that the adoption of security practices is not as commonplace as we’d expect.
Organizations that have adopted DevSecOps practicesn have assessed for security compliance in every stage of the SDLC, in stark contrast to the non-adopters who concentrated assessment in Plan, Test and Deploy.
Interesting that despite frequent security/compliance assessments so many applications are frequently released with vulnerabilities, with nearly three-quarters of companies releasing flawed applications more than once a year.
Importance of Security Audits
Collaboration between all teams involved in security audits; Development, Security and Operations are very strong, with the majority of respondents (93 percent) indicating a good or excellent collaboration among the teams.
The average security scan takes about 5 hours to complete, with security audits taking as long as 2 months on average to complete, where 71 percent of respondents confirm they take more than a month to complete an audit.
Security teams are generally efficient in providing audit feedback and Dev and Ops teams are highly confident in the accuracy of their feedback. Most companies effectively integrate the security feedback, but there is room for improvement since only 28 percent believe they are extremely effectively integrated.
Impact of DevSecOps
DevSecOps impacts the pace AND quality of the software delivered. The survey results showed that 47 percent of adopters believe DevSecOps increases their speed with 42 percent of non-adopters say it slows them down. As far as quality is concerned, 84 percent of respondents believe DevSecOps improves the quality of the software delivered.
Most organizations have adopted or are considering adopting DevSecOps, with 78 percent of respondents confirming this; and with the most common objection to adopting these practices being money, time and resources. DevSecOps and automated security and compliance testing adoption is a recent phenomenon; with most organizations having done so within the past 2 years.
- For more stats download the survey whitepaper.
Written by James Orme Mon 20 Apr 2020