A new study finds that security in DevOps processes is lagging
According to Examining DevSecOps Realities and Opportunities, a new study conducted by 451 Research and Synopsys, security in DevOps processes is lagging despite advantages and opportunities.
Many organizations are still in the early days of replacing organizational silos with DevOps teams and CI/CD workflows. The benefits of streamlined, collaborative development approaches are clear. These approaches enable organizations to bring more features and improvements to market faster.
What isn’t so well-understood is how organizations are including application security in these dynamic, fast-paced environments. How should security testing tools and best practices change to keep pace and stay relevant?
Understanding security in DevOps processes
To better understand this emerging paradigm, also known as DevSecOps, we surveyed 350 enterprise decision-makers at large enterprises across a variety of industries about their experiences with security in DevOps. The results reveal that half of DevOps teams don’t incorporate application security into their CI/CD processes. But doing so is a high priority and presents many opportunities.
“While some DevOps teams are starting to incorporate application security into their CI/CD workflows, driven by factors such as improved software quality, compliance, and risk avoidance, there is ample room for improvement. In many cases, security testing is not being integrated often or early enough in the process for organizations to fully benefit from reduced risk and rework headaches.”
Jay Lyman, principal DevOps analyst, 451 Research
The popular view is that security slows down software releases. But organizations can reduce risk, and rework cost and effort, by performing security measures early in the process. Specifically, they should implement security at code commit and during pre-implementation—something our research indicates most organizations do not do.
Our findings suggest that it’s important for organizations to know how to integrate security early in DevOps processes. We also find increased awareness and the presence of drivers such as software quality, compliance, and risk avoidance. But many organizations still don’t understand the benefits of early application security testing. When an organization integrates application security testing early and effectively, it sees more secure, faster releases and less rework.
New report: Examining DevSecOps Realities and Opportunities
“DevSecOps presents an opportunity to make application security part of the cultural and technological fabric of modern, high-velocity development and deployment models,” said Andreas Kuehlmann, general manager, Synopsys Software Integrity Group. “This study highlights many of the opportunities and challenges DevOps teams face in adapting and applying application security tools and best practices. It also validates that automation, speed, accuracy, and CI/CD integration—attributes Synopsys has built into its application security solutions—are critical to making DevSecOps successful.”
Key survey findings
- 63% of respondents say they expect to deploy software at least four times faster in a DevOps model.
- Software composition analysis (SCA) is the most critical application security element to incorporate into CI/CD workflows. SCA identifies open source software components affected by known vulnerabilities.
- Nearly 40% of organizations either do not perform SCA or claim not to use any open source components. This claim that may represent a lack of awareness, given that the Open Source Security and Risk Analysis report found that over 95% of applications contain open source.
Digging into DevSecOps
In our on-demand webinar, Jay Lyman, principal analyst at 451 Research, and Meera Rao, senior principal consultant at Synopsys. They discuss the survey results and how organizations include (or don’t include) security in enterprise CI/CD workflows. They also offer guidance on how enterprise organizations can integrate security into CI/CD workflows to reduce rework and risk without slowing velocity.
