How and why security will be built into DevOps models

We talk to Gaurav Chhiber, Director, Security Products, Hewlett Packard Enterprise on the key barriers and gaps preventing organizations from successfully integrating security and DevOps.


1.    What does DevOps mean for local organisations, and to what degree have organisations adopted DevOps?

HPE Security Fortify research shows that organisations today operate today in a world filled with mobile, web and cloud-based applications used by the business, partners and customers who constantly want more as they keep pace with the Idea Economy, where ideas can make or break their success. 

With competitive pressures, and application users constantly wanting more, application delivery teams who are already resource-strained and operate in complicated environments, are under pressure to create, launch and operate applications faster than ever. 

To alleviate these pressures, organisations look to DevOps as their saviour to application delivery problems as the model allows for the faster development and deployment of new apps and updates. In fact, recent Gartner research indicates that 38 percent of enterprises are now using DevOps, and 50 percent will be actively using the approach by the end of 2016.

2.    How does DevOps improve overall development effectiveness and application security? 

By dramatically transforming how applications are created and delivered, DevOps pushes the limits on the speed and innovation required of development teams. Through this, there is a new opportunity to improve the software development lifecycle (SDLC) in tandem with the moves being made toward agility, continuous delivery and integrating security right from the start.

Application security and DevOps go hand-in-hand. DevOps is an opportunity to make security an integral part of the development process and truly builds secure coding practices into the early stages of the SDLC. It is centred on the belief that security must be part of the DevOps process and not a separate function. 

Our latest study found that 99 percent of all respondents agree that adopting a DevOps culture has the opportunity to improve application security. Further, the expectation is that applications will be released with a level of security that meets the goals of the organisation to ensure the protection of not only the software and customers but also the organisation itself.

While DevOps can help make applications more secure, it requires a commitment across the organisation to prioritise security, and incorporate more automated testing solutions that make it simpler to gather real-time feedback and remedy vulnerabilities during the development process. 

3.    How can local organisations transition smoothly to a DevOps system?  

It begins with moving away from a silo-ed environment, improving communication between development and operations teams, creating a cultural shift, as well as new structures and processes. Close communication also allows both teams to better understand each other’s needs. 

Organisations can start by taking on a small project, and applying a new method to the development and test process to help teams adjust and gather feedback, before attempting to convert the entire team to DevOps at one time. 

4.    What are the obstacles and opportunities in improving security practices in a DevOps environment? 

In addition to the challenges with having stakeholders in development and operations who have not fully bought into the secure SDLC initiatives, there are also internal factors that impede application security teams as follows: 

Security leaders are not developers Security roles have become very specialised with most security professionals having a background in IT. In our findings, only 15 percent of chief security officers (CISOs) have a background in development. This can lead to a misunderstanding of challenges faced by development teams. 

Lack of application security talent  For organisations that have put a focus on the secure SDLC, there is a significant shortage of application security talent. Our research saw responses from an average of 900 developers, in comparison to the average of 11 application security professionals. This ratio represents a clear need to balance their resources to keep application security top of mind. 

Integrating into DevOps is difficult 90 percent of security professionals surveyed state that since their organisation has started deploying DevOps methodologies, integrating application security into the development process has become more difficult. Interestingly enough though, 100 percent cite that integration is a key requirement to the success of an application security program.

5.    What is preventing organisations from ensuring that application security is part of DevOps?

While one of the main promises of DevOps is the collaboration between development, operations, and quality assurance (QA), security teams are often nowhere to be found in the DevOps conversation or team. 

Our research indicates that the key factor hindering security adoption within DevOps is organisational barriers. Reporting lines for development, operations, and security teams today have completely separate, siloed reporting structures. 

The result is that most developers and IT Operations teams care about security but feel it is already under control or that it’s someone else’s issue (such as security, InfoSec, and compliance departments). In addition, security teams feel disconnected from both development and operations, with some respondents admitting to not even knowing their security teams. 

These dynamics can lead to a divide between security organisations and development with differing metrics and misaligned priorities.

6.    How can local organisations bridge awareness and training gaps to make it seamless for developers to practice secure development?

While securing the SDLC remains a key challenge in most organisations, there are those that have overcome the organisational and process barriers to embed application security into their development processes. 

Some best practices for better integration between application security and DevOps teams include:

•    Security should be a shared responsibility across the organisation to eliminate barriers. Security must be embedded throughout every stage of the development process, with executive support and metrics to hold teams accountable for secure development.

•    Bridge awareness, emphasis, and training gaps by making it seamless and more intuitive for developers to practice secure development. Organisations should integrate security tools into the development ecosystem to allow developers to find and fix vulnerabilities in real-time as they write code. This makes it easy and efficient to develop securely, and educates the developer on secure coding in the process. •    Leverage automation and analytics as application security force multipliers. Organisations should leverage enterprise-grade application security automation with analytics built in to automate the application security testing audit process and allow their application security professionals to focus only on the highest priority risks. This reduces the number of security issues that require manual review, saving both time and resources, while lowering overall risk exposure

7.    How can security leaders justify why embedding security in development is necessary? 

In today’s culture of rapid release, while it is good to move fast, security cannot be compromised. If releases do occur without security oversight, it leaves organisations open to security vulnerabilities and attacks, which has dire consequences. 

Detecting and fixing quality issues in the early stages of SDLC increases efficiency, and can reduce costs. By addressing security issues throughout the SDLC, development teams can spend less time remediating security issues, instead of modifying security at the end.