DevOps and security go hand in hand, but most firms stuck in the middle

Security failure

Planet DevOps is pulling security more tightly into its orbit, at least according to Puppet’s latest State of DevOps survey.

The 2019 report, which comes from Puppet, CircleCI and splunk, simultaneously highlighted a correlation between high levels of DevOps practice and high levels of security integration into the software development cycle.

But organisations who have achieved this level of nirvana are comparatively thin on the ground, with the authors reporting that “22 percent of the firms at the highest level of security integration have reached an advanced stage of DevOps evolution”.

The vast majority of companies are at both a middling stage of DevOps evolution, and of security integration. The survey found that 79 per cent of responding organisations were at a stage of “medium evolution” when it came to DevOps practice, unchanged on last year. The proportion of high evolution orgs climbed from 11 per cent 14 per cent, while low riders slipped from 10 to 7 per cent.

When it came to the level of security integration, 14 per cent were at a high level of integration, while 16 per cent were at a low level – ie, “integration” is ad hoc.

The report’s authors pondered why it is so hard to integrate security and DevOps, “Call us cynical, but we believe it’s because good security practices don’t pay the bills. Good security is not a competitive differentiator. Getting new features out faster, on the other hand, gives you the clear competitive advantage of being early to market. So feature delivery naturally becomes the top priority.

“To change this dynamic,” they continued, “organizations need to prioritize security from the top and incentivize all teams to share responsibility for it — not just designated security specialists. Security teams need to be good partners to the rest of the business, enabling other teams to establish sound practices.”

Getting security tools and testing integrated into the development lifecycle is part of the battle – and unsurprisingly Puppet is expanding its product line beyond its traditional configuration and automation tooling and into security remediation.

“At Stage 4 of DevOps evolution,” the report said,”teams were automating security policy configurations. This helped teams progress to Stage 5, where we found the key practice of automated incident response. We also learned that organizations at Stage 5 involved their security teams in technology design and deployment.”

But we’re talking DevOps, so culture is never far away. 

“The highly evolved teams we encountered in last year’s report were not simply shifting security left. They had cultivated a powerful blend of high-trust environments, autonomous teams, and a high degree of automation and cross-functional collaboration between application teams, operations and security teams.”

This means delivery teams can make security improvements, while “Security teams are able to act in an advisory role, leading to time-saving and security-enhancing capabilities such as automated incident response. Further, these teams were able to implement transparent security policies as code.”

After all, DevOps is all about culture, and getting teams involved in software deployment means less “them and us” and “People perceive that security is more valuable to the business where there’s more integration, and they’re also more likely to perceive security as a responsibility that’s shared within their organization.”

As for improving security posture, the survey has a helpful, ranked, list of practices, at the top of which is security and development teams collaborating on threat models, with security tools being integrated in the development integration pipeline coming in at number two.

You can download the report here – registration required.