DevOps teams are involved with security but they need to do more. Two recent studies show that tooling is inadequate and that security is not properly integrated into the entire DevOps process.
A DevOps survey of over 1,000 IT pros by Logz.io found that DevOps handles security at 55 percent of organizations. The finding is unsurprising because 1) efforts to shift security left have often been implemented by DevOps teams responsible for interacting with the entire organization, and 2) 32 percent of the respondents were DevOps engineers. Whether or not this means these organizations actually do DevSecOps, 56 percent said they are at least beginning to implement the practice.
Just like with DevOps, DevSecOps can be viewed as either a culture or set of tools. Culture is inoculated via training developers, On the software side, DevSecOps is sometimes defined by the use of automated security testing and code dependency testing. As a sign that current software can do more, 57 percent of the Logz.io respondents said there are not enough tools available to make them successful at DevSecOps.
A different survey by Freeform Dynamics, The Register and Checkmarx provides more perspective on how different teams have to work together to make DevSecOps work. When asked about software security challenges, 62 percent of respondents strongly agreed that developers, testers, security specialists and ops staff need to work together. This desire has yet to match reality. More than half (56 percent) believe that integration of security into the entire DevOps process is either poorly done or non-existent.
Software integrated into a CI/CD pipeline can address some of the need to integrate security into the entire DevOps process. Yet, if this is the case, does that mean that DevOps engineers will be stuck executing the security requirements of Information Security and babysitting Development? Stay tuned for the The New Stack’s next installment in the ongoing DevSecOps saga.
Feature image via Pixabay.