Devops teams are sacrificing focus on security gate reviews to meet tight time-to-market deadlines amid growing pressure to deliver digital transformation and digital-first revenue projects ahead of schedule.
Compensation plans for CIOs, devops leaders, and their teams prioritize time-to-market performance, increasing the intensity to beat schedules. Over the last 18 months, 90% of IT leaders are also seeing digital transformation initiatives accelerate as enterprises strive to stay in step with their customers’ preferences for buying, receiving service and repeating purchases on a digital-first basis.
A typical Devops team in a $500 million enterprise has more than 200 concurrent projects in progress, with over 70% dedicated to safeguarding and improving digital customer experiences. Devops teams are looking to save every second they can on every project as a large percentage of their total compensation is on the line.
Boston Consulting Group (BCG) says that the more software-intensive a business is, the faster and more effective the delivery of new offerings needs to be to create competitive advantages, making it a critical capability for long-term survival. Devops teams who can deliver minimum viable products (MVP) ahead of schedule often set the pace for an entire project.VentureBeat asked Janet Worthington, senior analyst, Forrester, if CISOs and CIOs are getting more involved in securing devops. She said that “yes, CISOs and CIOs more and more are realizing that to move fast and achieve business goals, teams need to embrace a secure devops culture. Developing an automated development pipeline allows teams to deploy frequently and confidently because security testing is embedded from the earliest stages. In the result a security issue escapes to production, having a repeatable pipeline allows for the offending code to be rolled back without impacting other operations and the issue corrected quickly.”
Why security gets traded for speed
With compensation, competitive advantages and the reputation of enterprise IT and devops teams on the line, it’s understandable that security gets pushed back in the software development lifecycle (SDLC). In enterprises that don’t prioritize security as a core part of the SDLC process, it’s common to find security, testing and validation systems isolated from core devops workflows.
Often pushed to the final phases of a project, they’re rushed. That’s one of the main reasons enterprises that have suffered a breach in the previous 12 months say that the two leading methods bad actors used were taking advantage of vulnerable software and direct web application attacks.
Security testing apps isolated from devops platforms
One example is how devops teams use application security testing (AST) tools and systems that aren’t integrated into development platforms or environments. Security testing software is designed for analysis and traceability. Devops apps, platforms and tools are designed for speed and transparency. Unfortunately, few devops engineers also know how to use security testing software.
Gate-driven reviews slow down devops
Devops workflows are designed for speed and rapidly iterating with the latest requirements and performance improvements. Gate reviews are static. The tools devops teams rely on for security testing can lead to roadblocks, given their gate-driven design. Devops is a continuous process in high-performance IT teams, while stage gates slow the pace of development.
Devops teams aren’t trained on security
Devops leaders often don’t have the time to train their developers to integrate security from the initial phases of a project. The challenge is how few developers are trained on secure coding techniques. Forrester’s latest report on improving code security from devops teams looked at the top 50 undergraduate computer science programs in the US, as ranked by US News and World Report for 2022, and found that none require secure coding or a secure application design class.
Trading off security for compliance
CIOs and their teams are stretched thin with the many digital transformation initiatives, support for virtual teams and ongoing infrastructure support projects they have going on concurrently. CIOs and CISOs also face the challenges of keeping their organizations in regulatory compliance with more complex audit and reporting requirements. Fines and the potential impacts on an organization’s reputation force them to focus first on compliance at the expense of security.
Security needs to be core to devops
High-performing devops teams deploy code 208 times more frequently than low performers. Creating the foundation for devops teams to achieve that needs to start by including security from the initial design phases of any new project. Security must be defined in the initial product specs and across every devops cycle. The goal is to iteratively improve security as a core part of any software product.
By integrating security into the SDLC, CIOs, CISOs, and their devops leaders gain valuable time back that would have been spent on stage gate reviews and follow-on meetings. The goal is to get devops and security teams continually collaborating by breaking down the system and process roadblocks that hold each team back.
“Organizations that are pursuing zero-trust initiatives benefit from embracing a devops culture where all stakeholders — development, security, operations and IT — are responsible for the quality, security and reliability of applications they build, deploy and operate,” Worthington said.
She continued, “When security is involved early in the development lifecycle, zero-trust requirements can be identified and built into the product. Organizations that don’t embed security in the SDLC run the risk that security issues are first identified late in the life cycle, requiring product rework and delayed release cycles.”
The greater the collaboration, the greater the shared ownership of deployment rates, improvements in software quality and security metrics — core measures of each team’s performance. Securing devops needs to start with the following suggested strategies that are delivering results today:
Integrating security apps, tools and technologies into existing SDLC developer workflows
It’s the first step to improving how devops and security teams share goals and help identify potential roadblocks. It is also a valuable technique for helping devops and security teams start to collaborate and break down communication and process barriers that blocked progress before. For example, enterprises often begin the integration process by embedding software composition analysis (SCA) and application security testing (AST). These tools provide devops teams with greater visibility into their code’s flaws and vulnerabilities so they can work with security to resolve them. The goal is to make security apps and tools so accessible that devops engineers can quickly get up to speed and succeed at secure coding.
Track application security performance to make better devops decisions
Large-scale devops teams often have security technicians and engineers dedicated to different applications, codebases and teams. Their goal is to analyze how each of their areas is performing on core application security metrics while ensuring secure coding practices are happening. Over time, the data generated from tracking improvements in application security helps devops teams make more informed trade-off decisions.
Key mean time-to-remediate allows devops teams to measure an average from the time an issue is identified to when the issue is resolved. Teams that track these types of metrics can see progress over time as they implement better design, coding practices and automated testing.
Worthington says that benchmarks or metrics used by devops teams to measure their progress at making the SDLC process more secure need to include the percentage of applications that have security testing automated and integrated into the software development life cycle. The metrics should also include the percentage of applications that are covered by post-production protection technologies.
“A positive trending indicates reduced risk to the business, reduction of unplanned work, and brand reputation protection,” Worthington advised.
Recruit security coaches in devops and double down on their training
Encourage members of the devops teams to become security coaches, offering to pay for their certifications, training and ongoing education. Upskilling is most effective when it combines informal training from security engineers and formal training paid for by the organization, so devops team members can continually gain new knowledge.
Close gaps between AST and devops to save time and improve security
Enterprise IT and security teams often pursue a shift-left strategy to make this happen. That involves creating more collaboration during the first stages of the SDLC by relying on software composition analysis and prioritizing what most needs to be done in the security requirements backlog. Closing the gap accelerates development and provides devops engineers with an opportunity to learn about AST.
Leading vendors that provide platforms that integrate AST into devops include Coverity, Checkmarx, GitLab, HCL AppScan, Micro Focus Fortify On Demand, Veracode Application Security Platform and others. Checkmarx is noteworthy for its integrated approach that’s proven scalable across organizations doing daily code releases.
The SDLC needs to have zero trust in the design starting at the API level to reduce the risk of a breach
Organizations must adopt zero-trust principles for all systems and processes that comprise the devops pipeline to secure their software supply chains from attacks and threats.
VentureBeat recently asked Sandy Carielli, principal analyst at Forrester, how IT, devops and security can collaborate better to improve API security as part of the CI/CD process. Carielli said, “As in many security areas, early communication makes a big difference. During the early stages of product definition, security needs to be in the room and understand the API strategy for a product or project. This will help ensure that the team has the right expertise and supporting tools. In addition, work with IT and devops on a policy and controls for deploying new APIs to reduce the risk of rogue or unmanaged APIs.”
VentureBeat also asked Carielli what organizations should look for when evaluating which API security strategy for their organizations. She advised, “when considering API strategy, work with the dev team to understand the overall API strategy first. Get API discovery in place. Understand how existing appsec tools are or are not supporting API use cases. You will likely find overlaps and gaps. But it’s important to assess your environment for what you already have in place before running out to buy a bunch of new tools.”
Improving devops by integrating security
Security needs to be a continuous, automated process in devops if it’s going to deliver on the potential it has to improve code deployment rates while reducing security risks and improving code quality. In addition, when security is a core part of the SDLC, its core metrics are available across devops teams and security engineers, further improving collaboration.
Forrester’s latest report [subscription required] advises IT leaders to adopt AST tools that educate devops engineers on the job, further enhancing their knowledge. The report recommends static application security testing, dynamic application security testing, and interactive application security testing as the best tools for devops engineers to start with.
Forrester also advises IT and security leaders to look for tools that include clickable and brief training modules and can be inserted into the SDLC as early as possible, such as spellchecker-like plug-ins to the integrated developer environment (IDE).
By Louis Columbus, Originally published on VentureBeat