A recent study found closer integration between organizations' security and DevOps is needed in order to better bake security into their products.
The Hewlett Packard Enterprise (HPE) “Application Security and DevOps Report 2016” found that while 99 percent of respondents agree that adopting a DevOps culture has the opportunity to improve application security, only 20 percent are doing application security testing during development.
In addition, 17 percent are not using any technologies to protect their applications, which means there is a significant disconnect between the perception and reality of secure DevOps, the study said.
To make matters worse, 90 percent of security professionals stated that integrating application security has become more difficult since their organizations deployed DevOps due to organization barriers between security professionals and developers.
A lack of awareness, emphasis and training for developers may contribute to the discrepancy as researchers found that out of more than 100 job postings for software developers at Fortune 1000 companies, none specified security or secure coding experience and knowledge as part of the skills required.
Researchers said it is crucial that organizations build security into their development chain and strategically implement security automation to help close these gaps.
In addition there is a shortage of application security talent as researcher said that only one application security professional in every 80 developers surveyed.
“Adopting a DevOps process can help make applications more secure, since the development and production environment are built the same way and to the same security standards and testing,” Burberry, Group Information Security Officer John Meakin said in the report. “However, it requires a commitment across the organization to prioritize security, and incorporate more automated testing solutions that make it easier to gather real-time feedback and remediate vulnerabilities throughout the development process.”
Many DevSecOps programs today are looking to perform vulnerability detection and remediation faster as well as add real-time protections to production applications via runtime security, Prevoty Co-founder and CTO Kunal Anand told SCMagazine.com via email comments.
“The challenge with the former is that it still takes engineering and QA resources to qualify and fix results in vulnerability reports,” Anand said. “The benefit of the latter (runtime security) is that an organization can get visibility for and protection against attacks which can help prioritize issues that need to be fixed and optimize the DevSecOps workflow.”
He went on to say that overall DevSecOps is important and application security needs be directly addressed.