Newly published research reveals that only half of continuous integration (CI) and continuous delivery (CD) workflows include application security testing elements despite respondents citing awareness of the importance and advantages of doing so.
The DevSecOps Realities and Opportunities study by 451 Research, commissioned by Synopsys, appears to suggest that many developers who are well aware of the importance of security in the DevOps process will proceed to ignore it anyway.
Analysing responses from some 350 enterprise decision-makers at large enterprises from a wide range of industry sectors, the study found that software composition analysis (SCA) that identifies open source software components affected by known vulnerabilities is understood to be the most critical application security element to incorporate into the development workflow. Somewhat surprisingly, then, it also discovered that almost 40 percent of organisations don't use SCA (or claim not to have any open source components.) The latter being more surprising still, given that a Black Duck Software report on open source security and risk analysis suggested at least 95 percent of applications do.
"While some DevOps teams are starting to incorporate application security into their CI/CD workflows, driven by factors such as improved software quality, compliance, and risk avoidance, there is ample room for improvement" Jay Lyman, principal DevOps analyst at 451 Research states "in many cases, security testing is not being integrated often or early enough in the process for organisations to fully benefit from reduced risk and rework headaches."
One of the factors cited in the report is that DevOps teams working with large-scale infrastructures are releasing software with significant code changes increasingly faster. 63 percent of respondents said they expected to deploy software four times faster in their DevOps model. "Without a clear and informed strategy" the paper explains "this can make establishing and scaling application security testing within these processes complex and difficult."
SC Media UK asked Elizabeth Lawler, vice president of DevOps Security at CyberArk, why it is that so many developers fail to eat their own dog food? "By their very nature, developers aren't security practitioners" Lawler suggests "they are responsible for features and functionality, not figuring out how to manage credential collaboration and security for those key assets." Therefore, tasking developers with security is "no longer sufficient considering the increasing threat surface in DevOps workflows and the associated risks in managing the scripts, platforms and systems used in automated workflows" she concludes.
Brian Dawson, DevOps evangelist at CloudBees, agrees that “developers know security is important but are focused on their work" telling SC Media UK this often means they "conveniently assume other experts will drive security as part of DevOps." Or a 'not my problem' mentality arising from silos or tribes in other words.
Then there's the fact that, according to Leigh-Anne Galloway, cyber-security resilience lead at Positive Technologies, historically speaking "DevOps and security have not been particularly comfortable bedfellows as developers often think all the security checks needed slows down the process, which then impacts the time to delivery."
When Sonatype surveyed more than 2,000 IT professionals about DevSecOps recently, it confirmed that 35 percent of developers receive no formalised training on secure coding practices. "Additionally, many organisations bolt security on to the end of the development lifecycle where it is owned by the security teams who sit in another organisational silo" warns Sonatype CTO, Brian Fox "thus prohibiting information and best practice sharing."
But what can be done then, if security awareness at least is pretty widespread in the DevOps community, to improve matters? Kevin Bocek, chief cyber-security strategist at Venafi, isn't so assured that awareness has been achieved. "We found only 56 percent of developers in organisations adopting DevOps are aware of the security controls necessary around keys and certificates" he told SC Media UK.
Tim Brown, VP of security at SolarWinds MSP, argues that in order to improve the situation, businesses should change how developers are measured and recognised. "Recognise those that not only produce the most code" Brown says "but those who produce the most bug-free secure code."
We will leave the final word to Ben Herzberg, director of security research at Imperva, who told SC Media that "Security must be bolted into the deployment process" which includes using code-analysis as a pre-requisite to pushing code to production, deploying security controls on staging environments as well as production, and adding security champions to development teams who "can provide peer-review for code before it goes to production."