DevOps embraces security measures to build safer software
23 March 2017 | 0
DevOps is not simply transforming how developers and operations work together to deliver better software faster, it is also changing how developers view application security. A recent survey from software automation and security company Sonatype found that DevOps teams are increasingly adopting security automation to create better and safer software.
It is no secret that traditional development and operations teams view security controls as slow and cumbersome, and often look for ways to bypass the requirements in their rush to get software out the door. However, only 28% of respondents from organisations with mature DevOps practices felt that security requirements slowed down software development, Sonatype found in its 2017 DevSecOps Community Survey. In fact, 84% of respondents from mature DevOps organisations viewed application security as a safety measure, not an inhibitor to innovation.
“Only 28% of respondents from organisations with mature DevOps practices felt that security requirements slowed down software development”
“DevOps is not an excuse to do application security poorly; it is an opportunity to do application security better than ever,” said Wayne Jackson, CEO of Sonatype.
While about a quarter of the respondents to the online survey, which include developers, DevOps teams, IT managers, team leads, architects, and build and operations engineers, considered security as a top development concern, that figure jumped to 38% among respondents who worked at organisations with a mature DevOps culture. Those respondents said their developers spend a lot of time on security.
The stark difference in the importance developers place on application security seems to depend on the how far along the organisation is on its DevOps journey. Just as security tends to play a more visible role in organisations with mature IT operations, the same pattern is playing out with DevOps. As developers and operations get more comfortable working together to release better software faster, they are looking for other areas to improve. Developing safer software is the logical next step.
It is a self-fulfilling prophecy. As teams automate security tasks and find vulnerabilities earlier in the development lifecycle, the cost of releasing secure software goes down. As software security becomes less of an inhibitor, they are more likely to view application security positively and be willing to automate security in even more areas.
“Successful application security has been defined as increased automation that doesn’t slow down the development and operations process,” said Tyler Shields, vice president of Signal Sciences. “Imagine a scenario where developers embrace security rather than find ways to work around it.”
Among respondents, 58% from mature DevOps organisations said they have automated security as part of their continuous integration (CI) practices, but CI is not the only part of the SDLC benefiting from automation. In the survey, 42% of respondents from mature DevOps organisations claimed to perform application security analysis at every stage of the SDLC—starting from design and architecture, all the way to production.
Automation includes adding security testing techniques such as fuzz testing and software penetration testing during development and testing, as well as security analysis within CI platforms to detect when vulnerable code is introduced. Some organisations have automated the evaluation of open source and third-party components against a defined governance policy to prevent vulnerable libraries from being included in code.