Security Experts:

Connect with us

Hi, what are you looking for?



SecOps: The Roadkill Victim of DevOps’ Need for Speed

DevSecOps Remains a Theory Not Often Implemented in Practice

DevSecOps Remains a Theory Not Often Implemented in Practice

DevOps was born from the understanding that greater efficiency comes from breaking down business silos (in this case, development and operations) and working as a single unit. With the increasing understanding and regulatory demands that security should be baked into new products during their development, the logical extension is that security should be included in a new combined working model: DevSecOps.

The potential advantages of DevSecOps are well understand and frequently urged — but not so commonly implemented. A new survey and report (PDF) from threat detection firm Threat Stack demonstrates that DevSecOps remains a theory not often implemented in practice.

Threat Stack questioned more than 200 security, development and operations professionals working for firms ranging from SMBs to large corporations in North America, across multiple industry sectors. The response shows that DevSecOps is well-understood and frequently lauded by firms, but not so often enacted.

The primary reason appears to be not just a lack of support from the highest levels, but actual discouragement from business leaders. More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective. “Since the directive for speed starts at the very top, it’s hard to ignore;” comment the report’s authors; “even if it means that security becomes roadkill in the process.”

The demand for development speed from the business leaders then transfers to the existing DevOps team. Sixty-two percent of the responders said that DevOps push back against demands to deploy secure technology, and 57% push back on security best practices — presumably because implementing security is seen as incompatible with the overriding need for speed.

This is a common perception. Mike Smart, security strategist at Forcepoint, believes security is like the brake on a car. Business leaders think its purpose is to slow down the car; that is, security slows down business and business development. “Innovators will tell you the opposite,” he says. “It’s there to give the driver the confidence to go as fast as possible.” In this view, security is the enabler of agile business — but the implication is that security leaders have failed to adequately explain this function to the business leaders.

Surprisingly, however, the theory of DevSecOps is well received. Eighty-five percent of the responding organizations claim that bridging the gap between DevOps and security is an important goal, while 62% of developer and operations professionals say it has become a bigger priority.

Threat Stack has isolated three key factors at play in this apparent contradiction. The first is that security is still siloed and considered a separate function. “A security specialist,” notes the report, “is assigned to the operations team at only 27% of the organizations we surveyed, and security pros are on board with development teams in just 18% of cases. At 38% of organizations, security is a completely separate team that is only brought in ‘when needed’.”

The second is that development is separate from security. “Forty-four percent of developers aren’t trained to code securely. Without this basic knowledge, coding is often done without security in mind. This forces security to become a bottleneck when they must inevitably step in and intervene.”

Thirdly, operations is little different. “A full 42% of operations staff admit that they are not trained in basic security practices, which means that they can’t configure servers securely. It also means that they don’t see deploying security as part of the configuration management process, which allows security best practices to fall by the wayside. When ops pros aren’t trained in security, there’s no way SecOps can succeed.”

At the same time, security cannot be absolved from all responsibility for the lack of progress in DevSecOps. Just as developers can’t code securely, security teams can rarely code at all. Security teams, suggests Threat Stack, “need to learn how to code and integrate their efforts into continuous deployment cycles. Don’t wait for this process to happen organically; you must make a conscious investment in alignment and education across teams.”

“Businesses have grappled with the ‘Speed or Security’ problem for years but the emergence of SecOps practices really means that companies can achieve both,” said Brian Ahern, Threat Stack chairman and CEO. “The survey findings show that the vast majority of companies are bought-in, but, unfortunately, a major gap exists between intent of practicing SecOps and the reality of their fast-growing businesses. It’s important that stakeholders across every enterprise prioritize the alignment of DevOps and security.”

The key to developing an efficient DevSecOps regime is to break down silos — but that includes breaking down self-imposed as well as organizationally-imposed silos.

Boston, Mass.-based intrusion detection firm Threat Stack raised $45 million in a Series C funding in September 2017, bringing the total raised by the company to more than $70 million.

Related: Automated Compliance Testing Tool Accelerates DevSecOps 

Related: Where DevOps Could Be Increasing The Attack Surface 

Related: Do Business Leaders Listen to Their Own Security Professionals? 

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.