Security blind spots persist as companies cross-breed security with devops

As devops matures into devsecops, cultural obstacles continue to exert drag.

Security blind spots persist as companies cross-breed security with devops
Nimish Gogri (CC BY 2.0)

Devops has become common in software-development organizations around the world, but many companies are still struggling with cultural issues that are dampening security practitioners’ influence in the devsecops practices crucial for next-generation cloud application development.

When it’s done well, devops is driving dramatic change—with GitLab’s recently released 2021 devsecops survey of nearly 4,300 respondents finding that the COVID-19 pandemic had “energized teams to focus on embracing cutting-edge devops technologies” including Kubernetes, artificial intelligence, machine learning, and cloud computing.

Broader adoption of devops-related capabilities had sped up software development, with 84% of developers saying they are releasing new software faster than ever—and one in five saying they are releasing new code 10 times faster, the GitLab survey showed.

The challenges of adopting devsecops

Yet while developers had naturally warmed to new and faster development processes, this new speed was creating paradoxical challenges around the adoption of devsecops, which is still seen by many as obstructing speed of delivery even though security mandates have become more important than ever. “In the past year, devops matured and fully arrived with these technology adoptions,” the report noted, “but there are still roadblocks to navigate before achieving true devsecops.”

Security testing remains an obstacle, with 42% of respondents to the GitLab survey saying security testing was happening too late in the development process. A similar proportion said they found it difficult to process and fix security vulnerabilities.

Nonetheless, 72% of surveyed security professionals said their organizations were putting in either “good” or “strong” efforts around security—up from 59% the year before.

With lingering confusion over issues like who is in charge of security, GitLab vice president of security Johnathan Hunt said, “a more clear delineation of responsibilities and adoption of new tools is required to completely shift security left.”

Long-standing challenges in devops persist in devsecops

The report validates predictions by analyst firm Gartner, which in 2020 predicted that 75% of devops initiatives would fail to meet expectations due to ongoing issues around organizational learning and change.

A recent survey by cybersecurity vendor Vectra AI of 317 IT executives identified some of the most problematic issues, with nearly one-third of surveyed companies still having no formal sign-off on new software versions before pushing them into production.

With 64% of companies deploying new services weekly or even more frequently, this lack of security review threatens overall security, Vector AI said, warning of “blind spots” that were only getting larger as companies expanded their investments in cloud platforms. “The cloud has expanded so much that securely configuring it with continued confidence is nearly impossible,” the company said, noting that “risk exponentially increases as more people are granted access to the [cloud] environment.”

Interestingly, some regions are feeling the drag more than others. Just 37% of Asia-Pacific respondents to Puppet’s 2021 State of Devops Report, for example, said culture was a barrier to the evolution of devops practices in their organization—well below the 47% global average—while 23% said that technology was more of an issue.

A “very specific set of challenges” were seen as cultural factors impeding progress to devops—including cultures that discourage risk, have unclear responsibilities, deprioritize fast flow optimization, and fail to include sufficient feedback loops. All create an accumulation of issues over time, potentially causing stagnation that causes many organizations to plateau after only completing part of their devops transformation.

There are two different schools of thought around devsecops, the Puppet report noted. Some people say that the term shouldn’t exist because security is fundamental to both development and operations. Others see it as “an explicit call to action to start including security from the beginning of the software development life cycle,” the report noted.

“For many organizations, the relationship between the security function and the design part of software development was even more distant than that between development and operations,” the report noted. “Symbols and labels can be a powerful way to drive change.”

Fully 51% of companies with highly developed devops cultures reported integrating security into requirements, while security was also being integrated into the design (61%), build (53%), and testing (52%) stages of the software development life cycle.

Companies with less-mature devops practices reported less security rigor, with 48% engaging security for scheduled audits of production and 45% doing so when there was an issue reported in production.

The figures, the Puppet report concluded, confirm that “good security practices and better security outcomes are enabled by devops practices. As devops practices improve, devsecops naturally follows.”

Copyright © 2021 IDG Communications, Inc.