The HPE Application Security and DevOps Report just released, which discusses in depth where organizations are at in their implementation of DevOps, and how application security fits within this new model. While there is a perception that security and DevOps go hand-in-hand, there are significant gaps between the opportunity of incorporating security as a natural part of the DevOps environment, and the reality of current programs. The study identifies significant barriers with integrating security and DevOps, as security often remains an afterthought when compared to the promise of speed and innovation, as well as recommendations for overcoming these challenges.
We asked Maria Bledsoe, Director Product Marketing at Hewlett Packard Enterprise a few questions about the report and DevOps security overall.
ADM: Where are organizations currently in their transition to DevOps?
Bledsoe: The study found that 90 percent of organizations are practicing DevOps. However, many of these deployments are small pilot programs that are not yet mature. The most commonly adopted DevOps practices include frequent deployment, automated testing and integrated teams. As organizations continue to mature in their DevOps deployment, they are working towards not only automating tasks, but also implementing new processes to drive speed and innovation.
ADM: What is the perceived opportunity surrounding application security and DevOps?
Bledsoe: The majority (99 percent) of organizations surveyed in the report, agree that DevOps provides a significant opportunity to integrate security, developer and operations teams for more secure development. Organizations that successfully integrate these functions, can potentially find and remediate vulnerabilities earlier in the software development lifecycle (SDLC) saving time and money.
ADM: What are some of the barriers and gaps preventing organizations from integrating DevOps and security teams?
Bledsoe: The HPE Application Security and DevOps Report found a number of barriers and gaps preventing organizations from successfully integrating DevOps and security teams. These include a lack of shared organizational responsibility between application teams and security, minimal security awareness, emphasis, and training for developers, and a shortage of application security talent.
ADM: Do you have a recommendation for how organizations can better assimilate DevOps and security teams?
Bledsoe: It starts at the top. Organizations must have buy-in and support from the executive leadership team for DevOps and security teams to be successfully integrated. Security should be considered a shared responsibility, not solely the CISO or security professional’s job, and leaders should include metrics to hold employees accountable. Security should be built-in instead of being an afterthought in the development lifecycle, and each DevOps team must have a security function imbedded in it.
ADM: What tools can organizations provide to developers to incorporate secure testing seamlessly?
Bledsoe: Secure development needs to be seamless and intuitive especially in a DevOps environment where speed and innovation are typically prioritized. Organizations should provide developers with application security tools that are fully integrated into the SDLC and make it easy to create secure code. For example, HPE Fortify Security Assistant is a tool that works similar to a spellchecker, allowing developers to automatically find and fix vulnerabilities as they are writing code in real-time. This not only makes secure development seamless, but also educates the developer on secure coding best practices for the future.
ADM: Organizations are often faced with a shortage of application security talent. How can they use automation to help support their efforts for secure development?
Bledsoe: Application security automation solutions, such as HPE Fortify Scan Analytics, help security professionals focus on the highest priority risks saving both time and resources. These solutions leverage machine learning and big data analytics to automatically determine the vulnerabilities that are most relevant to address, reducing the number of security issues that require manual review.