You are here

You are here

DevSecOps survey is a reality check for software teams: 5 key takeaways

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Rob Lemos Writer and analyst
 

Companies looking for more efficient software development—and to head off security threats—are increasingly integrating security with a DevOps-style pipeline, but budget issues and a shortage of knowledgeable application security professionals are hindering efforts, a survey of nearly 1,200 IT and software-security leaders found.

The survey—conducted by IDC and sponsored by Micro Focus, which owns TechBeacon—focused on software development methods in the Asia-Pacific region and found that about 40% of companies have pushed DevOps to make software development more efficient and now are adding security to the mix. An equal share of business leaders identified efficient software development, security, and business agility as the main factors driving adoption of their DevSecOps initiatives.

Gina Smith, IDC Asia/Pacific's DevOps Research lead, said in a statement about the survey that it was a step in the right direction for organizations that want to adopt an end-to-end security approach.

"The pressure to fully embed security into the continuous delivery pipeline signals a major shift towards a stronger DevSecOps culture, characterized by the abandonment of siloed functional teams in favor of shared responsibilities between developers and security experts."
Gina Smith

Integrating security into DevOps has long been on companies' to-do lists, but the current fluid market requires businesses to be more agile, and that means increased pressure to make development agile as well.

Here are five lessons from IDC's DevSecOps survey for software teams.

1. The pandemic has pushed companies to DevSecOps

The coronavirus pandemic has brought perhaps the fastest changes to the market in a generation. Almost 80% of companies have most of their employees—more than 60%—working from home, according to a survey conducted by the PricewaterhouseCoopers.

With that change comes innovation, and software makers are pushing hard to innovate, which means they need faster development cycles. These pressures have accelerated DevOps and DevSecOps adoption, with the pandemic driving demand for new services and resulting in more frequent use of applications, according to the IDC study. Nearly three-quarters of all firms have accelerated their DevSecOps initiatives, according to the survey.

2. Security maturity lags for more than half of firms

While companies have increasingly focused on security, only 45% of survey respondents graded the integration between their software development, operations, and security as high or unified. More than half gave their company's efforts a modest or low rating.

Even that number seems optimistic, given that only 40% of companies are integrating security into their DevOps initiatives. However, there are quick wins that can put your company on the road to maturity, said Chris Romeo, CEO of SecurityJourney, an application-security training firm.

"If you are new to DevOps and you are trying to layer in security, what do you do? Find the one big [class of security issues] that exists in your world, and say, 'Let's take care of that.'"
Chris Romeo

3. Culture is an underrated barrier

On the list of obstacles to a successful transformation to DevSecOps, the top hurdles are budget issues and a dearth of talent and skills. However, the No. 6 hurdle—cultural resistance—underpins a lot of the other issues and so should get more attention, Romeo said.

"All of these things are culture issues. What drives budget: If we have a culture of building secure software quickly, then budget is not an issue. What develops talent: You can build the people through training and create DevSecOps experts."
—Chris Romeo

A company that develops a strong security culture will have the discipline to tackle other challenges, he said.

4. Teams, not just tools

About 40% of the business and IT leaders surveyed believe that they already have unified DevOps teams, with security now being added. Yet issues such as budget pressures and a lack of skilled application security workers have slowed progress.

But many of those respondents are probably confusing security tooling with efforts to integrate security teams into development, which is much harder, said Marc French, CISO and managing director at application security consultancy Product Security Group.

"We have to define integration. If we are talking about tools in the pipeline, then 40% seems about spot on. But if we are talking about integrating the application-security team with the DevOps team, then that seems really high. I don't think we are there yet."
Marc French

5. Software composition analysis is a good start

The largest plurality of companies—about one quarter—relied on software composition analysis (SCA) tools to drive their security testing. That makes sense, said French.

"It's the 80/20 rule, my friend. You can drop that in the pipeline and get a lot of checking for very little effort."
—Marc French

Even for companies that consider budget to be an obstacle to security efforts, SCA is a good start. "You can get a ways along the security chain for low dollars," he said. "Software composition analysis is the easy first thing to do—the OWASP dependency checker is free, for example."

While free security software and services may not have the same depth or breadth as commercial services, gaining experience and culling the low-hanging fruit is important, French said.

Keep it simple, make it stronger

Simple wins, a stronger security culture, and automated security testing will all help your organization become more mature in its security programs, Stephen McNulty, president of the Asia Pacific and Japan region for Micro Focus, said in a statement.

"The most holistic approach to DevSecOps that will play a key role in increasing organizations’ maturity level involves making security an integral part of every software development project, striving for 100% automated testing, and continuously analyzing application performance for potential gaps."
Stephen McNulty

Keep learning

Read more articles about: DevOpsSecure DevOps