Add It Up: Integrating Security into the Development Pipeline
Integrating security tools within development pipelines continues to be challenging. Less than 60% of companies with mature DevOps practices have correctly integrated the average security tool, according to the 2020 DevSecOps Community Survey. The actual figures drop dramatically from there; companies that haven’t embraced the DevOps mantra of cross-team communication are often twice as likely to not have security tools properly integrated.
Not all of the tools in this chart have to be integrated into every stage of the SDLC.
If there wasn’t a cost involved, DevOps pros would integrate anything and everything they can into their pipeline. In a recent conversation with Derek Weeks, from DevOps automation company Sonatype, he explained: “If you integrate something in that’s going to take two hours to analyze and yet you’re releasing every hour, no one wants that tax.” Consequently, developers will find a workaround to the integrated tool.
By their very nature, software composition analysis and container security tools need to be integrated into CI/CD pipelines. Their effectiveness depends on the degree to which they are automated and buy-in form all relevant stakeholders. To better understand this subject, we’ve are asking readers to participate in a one-minute poll about security in CI/CD pipelines.
Feature image via Pixabay.
Sonatype is a sponsor of The New Stack.
