Software Integrity

 

A new study finds that security in DevOps processes is lagging

A new study finds that security in DevOps processes is lagging

According to a new study conducted by 451 Research and Synopsys, security in DevOps processes is lagging despite advantages and opportunities.

While many organizations are still in the early days of replacing organizational silos with DevOps teams implementing continuous integration and continuous delivery (CI/CD) workflows, the benefits of streamlined, collaborative development approaches are clear: They enable organizations to bring more features and improvements to market faster.

“DevSecOps presents an opportunity to make application security part of the cultural and technological fabric of modern, high-velocity development and deployment models. This study highlights many of the opportunities and challenges DevOps teams face in adapting and applying application security tools and best practices. It also validates that automation, speed, accuracy, and CI/CD integration—attributes Synopsys has built into its application security solutions—are critical to making DevSecOps successful.”

Andreas Kuehlmann
General manager of the Synopsys Software Integrity Group

What isn’t so well-understood is how application security is being included in these dynamic, fast-paced environments and how security testing tools and best practices should be augmented to keep pace and stay relevant.

To better understand this emerging paradigm, also known as DevSecOps, we surveyed 350 enterprise decision-makers at large enterprises across a variety of industries. The results reveal that while half of DevOps teams are failing to incorporate application security into their CI/CD workflows, doing so is a high priority and presents many opportunities.

“While some DevOps teams are starting to incorporate application security into their CI/CD workflows, driven by factors such as improved software quality, compliance, and risk avoidance, there is ample room for improvement. In many cases, security testing is not being integrated often or early enough in the process for organizations to fully benefit from reduced risk and rework headaches.”

Jay Lyman
Principal DevOps analyst at 451 Research

 

Even though it’s a popular view that security slows down software releases, we believe that organizations can reduce risk and save themselves rework headaches and time by considering and implementing security measures early in the process—in other words, at code commit and during pre-implementation—something our research indicates most organizations do not do.

Our findings suggest that awareness of the early inclusion of security in rapid release processes is important. But despite increased awareness and drivers such as software quality, compliance, and risk avoidance, there is still a lack of understanding that when application security testing is integrated early and effectively, it results in more secure, faster releases and less rework.

Download the report

Key survey findings

  • 63% of respondents say they expect to deploy software at least four times faster in a DevOps model.
  • Software composition analysis (SCA), or the identification of open source software components affected by known vulnerabilities, is the most critical application security element that needs to be incorporated into CI/CD workflows.
  • Nearly 40% of organizations either do not perform SCA or claim not to use any open source components—a claim that may represent a lack of awareness, given that a previous Open Source Security and Risk Analysis report by Black Duck Software found that over 95% of applications contain open source.

Digging into DevSecOps

Join us on May 15 at 10 a.m. PDT for a live webinar examining the realities of DevSecOps processes and the degree to which security is (or isn’t) being included in enterprise CI/CD workflows.

The hour-long session will be presented by Jay Lyman, principal analyst at 451 Research, and Meera Rao, senior principal consultant at Synopsys.

Join us as we go over the results of the survey and offer guidance on how enterprise organizations can effectively integrate security tools, people, and processes into CI/CD workflows to reduce rework and risk without slowing velocity.

Register for the webinar

 

More by this author