DevOps: The Security Gap

devopslog

The last of our 3-part blog series on DevOps and Security shares the results of a recent Alert Logic online survey of 73 UK DevOps practitioners and the role they believe security could, and should, play within the software development lifecycle.

The agile nature of short, predictable release times is adding huge value to software developer innovations, but it has been unclear to-date if companies have integrated security in an automated fashion into that process or if they are still doing it manually.

Is it possible to ensure secure software code is developed, tested, monitored and released in a continual delivery cycle?

The responses validate what we thought: a lot of progress has been made with the adoption of DevOps practices, but security is still seen as a bolt-on at the end of the delivery lifecycle rather than an automated, integrated component. This is causing significant delays and conflict within the process and stalling the continuous delivery of software into production.

Key findings

  • Communications & Tools: Whilst communications and the sharing of common toolsets between the Development and Operations teams were considered to be working well (59 people, 80%) – communications and toolsets outside of the DevOps teams, with security and compliance functions, were rated as poor or required significant improvement ( 51 people, 70%).
  • Security infrastructure: Of those who integrated security infrastructure into their DevOps process, 52 people (73%) indicated that it had been poorly managed or needed significant improvement.
  • Application security: Staggeringly, 56 people (77%) acknowledged that they haven’t implemented a continuous process to improve application and infrastructure security in their projects.

And this is where the data becomes really enlightening.

All the respondents agree that automating security into the development lifecycle is the right thing to do, but the reality is significantly lagging behind.

The challenge is that the agile nature of DevOps is at odds with the historically manual, static nature of information security. Security is often siloed and breaks down the communications and processes across the development lifecycle – causing the vast majority of critical system downtime, and downtime from security breaches:

  • All the respondents agree security should be a critical component considered at the planning stage, but only 40% are actually involving security here.
  • 92% agreed security should be integrated into the operational review cycles, but only 16% are actually doing it.
  • Of the core security technologies that they believed should be automated in the development lifecycle, log management came out as the most important – at 86% of respondents: BUT, the reality falls far short with just 30% of people actually implementing it.
  • Again, all the respondents agree that it is important to have security integrated for continuous monitoring across the lifecycle, but only 23% have formally included it. 
  • The majority of respondents surveyed cited a lack of people and relevant skills as the biggest barrier to implementing a continuous security model—in fact, only 23% of respondents believe they have the right people with the right resources.

The good news here is that DevOps practitioners actively engaged in the process understand the importance of automating security, but they just haven’t got the right processes, collaboration tools, or streamlined internal communication to make it a reality … yet.

The challenge for them is that continuous deployment stalls without security automation.

Closing the Security Gap

Development, operations and security are fundamentally intertwined and dependent on each other. The evolution of DevOps should now be extended to embrace Security – providing speed and agility to securing critical applications, assets and services in a more predictable, auditable and secure way.

Key takeaways:

  • Security should be involved in the planning stage and early development to harden the software as much as possible. Without this, security teams are always playing catch-up and will be considered as disruptive to the agile process
  • Security teams must standardize secure configuration settings for faster deployments, continually model potential security threats and vulnerabilities, and test for them.
  • Test results should be fed back into the development teams to ensure that software is continually developed to proactively mitigate security threats – minimizing security breaches and all the financial, operational and reputational damage that a breach will cause
  • The threat landscape is constantly changing: continuous real-time monitoring is key.
  • Move to ‘security as code’ – embedding security into scripts to automate processes that can be executed in a repeatable and predictable way.
  • Conduct security validation throughout the development lifecycle.

 Dev’Sec’Ops will be fully realized when organizations stop adding it onto the end of the development lifecycle and start integrating it in so that it becomes a seamless part of the secure continuous delivery lifecycle.  Once this happens, security will no-longer be a call-out on its own, but a critical, automated and integrated component of the whole process.

See more of the survey results in an infographic:
http://public.brighttalk.com/resource/core/63073/devops_the-security-gap-infographic_2015_92365.pdf

Watch our ‘Securing DevOps’ webinar with Chef on-demand:
https://www.brighttalk.com/webcast/11587/147557

Read James Brown’s 10 Practical Security Tips for DevOps: 
https://www.alertlogic.com/blog/10-practical-security-tips-for-devops/