Everyone agrees security must be an integral part of the development process. DevOps methodology has become synonymous with security. Rapid development, frequent release cycles and a fail fast culture is said to produce more secure applications. IT security and development teams work together seamlessly to ship secure and stable applications.
In reality, building security into the development process has been far more difficult. Curious about the true state of DevOps security, Hewlett Packard Enterprise surveyed a cross-section of development team members and industry leaders across enterprises. According to the 2016 Application Security and DevOps report
by Hewlett Packard Enterprise (HPE), 99% of respondents agreed DevOps provided an opportunity to improve security. Of those respondents, only 20% were already testing applications during development. Security wasn't included at any stage of development for 17% of respondents.
The promise of DevOps was one of a more integrated development approached compared with traditional development models. A majority of development teams still lack communication across divisions. Those who do not, belong to organizations who began with DevOps rather than transitioning to it from another methodology (e.g. Google and Facebook).
Simply switching to DevOps does not automatically result in a more secure product. Team culture must change to include security. Security and DevOps are still mostly decoupled. Not all security personnel come from a development background while few developers have a background in security. The two groups often work apart from one another. Each group feels the other does not value their role in the development process. This disconnect affects more than just team dynamics, it impacts application security as well.
Organizations of all sizes can be targeted for attack. Even large enterprises with mature software development and release cycles aren't immune. Consider the major data breaches in recent years -- LinkedIn, Yahoo, Tumblr and Target were among the many tallied. Allegedly, business goals were prioritized over security in at least one of these cases.
Cybersecurity incidents can be costly. In addition to the costs associated with patching software and mitigating legal issues, organizations may also experience lowered profits. Target reported a 46% drop in profits after as many as 110 million customer credit cards were compromised
through vulnerable point of sale software in stores. Costs associated with mitigation and upgrades are just the beginning. According to a recent Deloitte report, there are fourteen cyberattack impact factors
that contribute to the overall cost of a security incident.
Integrating security is an obvious solution, but how? Enabling DevOps teams to test throughout the development process is one way. Using automation and analytics tools to weed out vulnerabilities at each milestone is another. Consider the Netflix Chaos Monkey
. Chaos Monkey is an automated tool that tests and detects vulnerabilities, alerting development teams as it finds issues. With automation like this, development teams can cinch up security holes as they surface.
Aligning business goals with security requirements can directly impact an organization's future. Failure to secure applications and internal systems may result in longterm loss. Consumer care about data security. Nearly two-thirds (65%) worry about a provider's data security practices, Kaspersky Labs
reports. Ignoring security to focus on business goals can have disastrous effects. DevOps teams must focus on bringing together development and security in a way that meets the overall needs of the organization and customer experience. Once again, this illustrates the importance of a holistic digital transformation strategy that connects the dots between people, processes and technology.