Integrating security tools within development pipelines continues to be challenging. Less than 60% of companies with mature DevOps practices have correctly integrated the average security tool, according to the 2020 DevSecOps Community Survey. The actual figures drop dramatically from there; companies that haven’t embraced the DevOps mantra of cross-team communication are often twice as likely to not have security tools properly integrated.
If there wasn’t a cost involved, DevOps pros would integrate anything and everything they can into their pipeline. In a recent conversation with Derek Weeks, from DevOps automation company Sonatype, he explained: “If you integrate something in that’s going to take two hours to analyze and yet you’re releasing every hour, no one wants that tax.” Consequently, developers will find a workaround to the integrated tool.
By their very nature, software composition analysis and container security tools need to be integrated into CI/CD pipelines. Their effectiveness depends on the degree to which they are automated and buy-in form all relevant stakeholders. To better understand this subject, we’ve are asking readers to participate in a one-minute poll about security in CI/CD pipelines.
Feature image via Pixabay.
Sonatype is a sponsor of The New Stack.