Integrating Security into Build Processes Signals DevSecOps Tipping Point
The journey to DevSecOps maturity does not neatly shift left along a software development lifecycle (SLDC). Companies start adding security into the testing phase and then usually integrate security as they deploy applications into production. The nearly 3,000 technical professionals and executives surveyed for the “2019 State of DevOps Report” believe these steps positively impact a company’s security posture. Yet, adding “security” to testing and deployment also increases friction between security and developer teams.
Unsurprisingly, only 38% of respondents that do not integrate security at all say security policies or processes improve their company’s security posture. The report, from Puppet, CircleCI and Splunk, uses the number of SDLC phases involved with security to gauge the level of integration. The testing and deployment are the two phases that are most likely to be integrated with security. Just doing this has a positive impact. Build is usually the next phase to be integrated. Overall, 74% of those reporting integration of at least three phases noted a positive impact on their company’s security posture. The requirements and design phase are most likely to deal with security at companies that integrate all five of the stages of software development.
Level 1 (16% of the study) = No integration of security in any of the SDLC phases; Level 2 (22%) = Minimal integration (one of five phases); Level 3 (25%) = Selective integration (two of five phases); Level 4 (24%) = Significant integration (three or four of five phases); Level 5 (14%) = Full integration (all phases).
The study digs digs deeper to determine the security practices most likely to improve respondents’ outlook. Using regression analysis, the study found that collaboration on threat models and developer tools that allow security features to be implemented during the deployment phase have the greatest impact, but are also among the least common of the 15 security practices asked about. Echoing research from Tricentis, having security experts evaluate (and prioritize) automated software tests also has a big impact on security but occurs less often than 13 other practices.
The higher the “level,” the more parts of the SDLC have involvement of “security”.
Thirty-eight percent of companies that do not integrate security into the SDLC also do not have friction between the security and development teams, probably because there is little collaboration. The first one or two development phases to be integrated see the occurrence of team conflict rise to 48%. Friction between the teams drops among those that claim to have software security covered from A to Z. By this point, there is a general acknowledgment that security is a shared responsibility, and fewer people believe security is a major constraint on delivering software quickly.
The exact definition of security integration is hard to pin down. Does it mean security is a factor in decision making across a corporation? Or does it mean that the security team is directly involved? The study found that 31% of have both a centralized security function and application delivery teams with designated security experts, and another 14% of companies have decentralized the security and instead have only team-based security experts. Size plays a role in how security is handled. Small companies are more likely to use a pure decentralized security organization. Plus, teams that have 10 or fewer members are significantly less likely to have a designated security expert.
In another survey, this one conducted by the Enterprise Strategy Group and co-sponsored by The New Stack sponsor Capsule8, found that 55% of incorporated security into their DevOps processes. It also reports that only 21% of respondents have more than half of cloud native applications being secured via involvement of a cybersecurity team.
Only 21% have more than half of their cloud-native applications being secured via involvement of a cybersecurity team. There is an expectation this will change dramatically in the future, but how long will it take to happen? From an @esg_global survey. https://t.co/pvc8tNGzqD pic.twitter.com/EkzVZUTTwW
— Lawrence Hecht (@LawrenceHecht) September 25, 2019
There were many other interesting findings in “State of DevOps 2019 Report.” You will find below tweets that provide color on how quickly security vulnerabilities can be remediating. Taken as a whole, they remind us that on-demand deployment is valuable even when it is not utilized.
Integrating security into the SDLC has little impact on the ability to remediate a critical security vulnerability within a day. 48% of companies with no integration remediate within a day vs 50% for the full integrated. https://t.co/QRMH2OUUJb pic.twitter.com/VCmKuGO24n
— Lawrence Hecht (@LawrenceHecht) September 25, 2019
By definition a low-level issue shouldn't delay things — so developers have their priorities right. When a developer can't raise a flag about a critical security flaw, then the CIO, CISO, etc. should be held accountable. #DevSec #DevSecOps #appsec https://t.co/7JoNpdG9Ac
— Lawrence Hecht (@LawrenceHecht) September 25, 2019
Perspective on Developer Velocity: Only half of companies that can deploy on demand actually do so. https://t.co/QRMH2OUUJb pic.twitter.com/aLmm0mfLHO
— Lawrence Hecht (@LawrenceHecht) September 25, 2019
Capsule8, CircleCI, Puppet, and Tricentis are sponsors of The New Stack.
Feature image via Pixabay.
