DevSecOps Remains a Theory Not Often Implemented in Practice
DevOps was born from the understanding that greater efficiency comes from breaking down business silos (in this case, development and operations) and working as a single unit. With the increasing understanding and regulatory demands that security should be baked into new products during their development, the logical extension is that security should be included in a new combined working model: DevSecOps.
The potential advantages of DevSecOps are well understand and frequently urged — but not so commonly implemented. A new survey and report (PDF) from threat detection firm Threat Stack demonstrates that DevSecOps remains a theory not often implemented in practice.
Threat Stack questioned more than 200 security, development and operations professionals working for firms ranging from SMBs to large corporations in North America, across multiple industry sectors. The response shows that DevSecOps is well-understood and frequently lauded by firms, but not so often enacted.
The primary reason appears to be not just a lack of support from the highest levels, but actual discouragement from business leaders. More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective. “Since the directive for speed starts at the very top, it’s hard to ignore;” comment the report’s authors; “even if it means that security becomes roadkill in the process.”
The demand for development speed from the business leaders then transfers to the existing DevOps team. Sixty-two percent of the responders said that DevOps push back against demands to deploy secure technology, and 57% push back on security best practices — presumably because implementing security is seen as incompatible with the overriding need for speed.
This is a common perception. Mike Smart, security strategist at Forcepoint, believes security is like the brake on a car. Business leaders think its purpose is to slow down the car; that is, security slows down business and business development. “Innovators will tell you the opposite,” he says. “It’s there to give the driver the confidence to go as fast as possible.” In this view, security is the enabler of agile business — but the implication is that security leaders have failed to adequately explain this function to the business leaders.
Surprisingly, however, the theory of DevSecOps is well received. Eighty-five percent of the responding organizations claim that bridging the gap between DevOps and security is an important goal, while 62% of developer and operations professionals say it has become a bigger priority.
Threat Stack has isolated three key factors at play in this apparent contradiction. The first is that security is still siloed and considered a separate function. “A security specialist,” notes the report, “is assigned to the operations team at only 27% of the organizations we surveyed, and security pros are on board with development teams in just 18% of cases. At 38% of organizations, security is a completely separate team that is only brought in ‘when needed’.”
The second is that development is separate from security. “Forty-four percent of developers aren’t trained to code securely. Without this basic knowledge, coding is often done without security in mind. This forces security to become a bottleneck when they must inevitably step in and intervene.”
Thirdly, operations is little different. “A full 42% of operations staff admit that they are not trained in basic security practices, which means that they can’t configure servers securely. It also means that they don’t see deploying security as part of the configuration management process, which allows security best practices to fall by the wayside. When ops pros aren’t trained in security, there’s no way SecOps can succeed.”
At the same time, security cannot be absolved from all responsibility for the lack of progress in DevSecOps. Just as developers can’t code securely, security teams can rarely code at all. Security teams, suggests Threat Stack, “need to learn how to code and integrate their efforts into continuous deployment cycles. Don’t wait for this process to happen organically; you must make a conscious investment in alignment and education across teams.”
“Businesses have grappled with the ‘Speed or Security’ problem for years but the emergence of SecOps practices really means that companies can achieve both,” said Brian Ahern, Threat Stack chairman and CEO. “The survey findings show that the vast majority of companies are bought-in, but, unfortunately, a major gap exists between intent of practicing SecOps and the reality of their fast-growing businesses. It’s important that stakeholders across every enterprise prioritize the alignment of DevOps and security.”
The key to developing an efficient DevSecOps regime is to break down silos — but that includes breaking down self-imposed as well as organizationally-imposed silos.
Boston, Mass.-based intrusion detection firm Threat Stack raised $45 million in a Series C funding in September 2017, bringing the total raised by the company to more than $70 million.
Related: Automated Compliance Testing Tool Accelerates DevSecOps
Related: Where DevOps Could Be Increasing The Attack Surface
Related: Do Business Leaders Listen to Their Own Security Professionals?