Risk and vulnerability management is the top reason to implement security throughout the software development lifecycle (SDLC), but the second most common reason is improving code quality according to the DevSecOps Community Survey 2019, which was primarily completed by people in development, DevOps and architect roles. However, this does not appear to be enough motivation to integrate security automation into the development process.
Only 11 percent of the DevSecOps survey said their security tools are fully integrated and automated into the DevOps pipeline, with 52 percent saying manual steps are required. Of course it is hard to integrate into a DevOps pipeline if you don’t have one, but the figure doesn’t change much for those with mature DevOps practices (representing 27 percent of the study’s 5,558 respondents). Among this group, 54 percent said security tooling is not completed automated.
DevOps is closely associated with automation, but only of a particular part of the SDLC — the building and deploying applications. In fact, 74 percent of companies with mature DevOps practices perform automated application security analysis during the build/CI (continuous integration) step. A note of caution — the survey actually saw a decline in automated scanning in the testing and quality assurance (QA) phase of the SDLC. Perhaps this indicates that the QA role is being diminished or at least “shifted left.”
Developer Velocity and Security Testing
We previously noted the c-suite doesn’t have a grasp about the frequency of application releases. People at the intersection of development, security and IT operations have different angles. While 10 percent of business executives think applications are released at least once a month, 83 percent of the DevSecOps survey said they deploy into production more than once a month. The huge discrepancy in the figures is because most people still look at development as an iterative process delivered in big chunks called releases.
A 2018 survey of security professionals by the SANS Institute provides another perspective. In that report, 66 percent said their organization deploys system changes to production applications at least once a month. Seventeen percent deploy changes to production at least once a day, which is similar to the 21 percent that deploy at least daily in the DevSecOps report.
The SANS Institute’s report provides a reminder that automation can be added quickly to specific parts of the SDLC. Forty-seven percent of the surveyed security pros said their organization test business-critical applications at least daily, which is double the 23 percent doing so in 2017. However, for now, those deploying changes to production applications at least daily stayed constant at 17 percent.
By running something like a vulnerability scanner, it is relatively easy to automate security testing for production applications. CD/CI tools are adding similar scanning capabilities earlier in the development process. Machine learning and artificial intelligence are helping, but for now, it is a pipe dream to think that all application development, deployment and security processes will be automated into one DevOps pipeline.
Source: “Secure DevOps: Fact or Fiction?” a SANS Institute survey.
Feature image via Pixabay.