Organizations seeking way to balance development agility with application security
A new DigiCert survey reveals that 98 percent of enterprises integrating their security teams into their existing DevOps methodologies. Or, at least they’re trying to.
Their goal is to increase information security, IT agility and development agility. However, they face several challenges, including the amount of time required, and cultural differences among the security, IT and DevOps roles.
“Going faster introduces security risks, while maximizing security often slows things down,” said Dan Timpson, CTO at DigiCert. “The market is at a tipping point and enterprises are looking for solutions to minimize the time that it takes to integrate and to help security better fit within DevOps workflows.”
49 percent are in the process of doing so, and 49 percent have completed their efforts. Those who have integrated security into DevOps report improvements to both development agility and information security, contrary to the common belief that security and agility cannot coexist. Additionally, they are:
- 22 percent more likely to report they are doing well with information security
- 21 percent more likely to report doing well meeting app delivery deadlines
- 21 percent more likely to report doing well lower app risk.
Repercussions of the status quo
Agile security is on the minds of enterprises with 88 percent of respondents saying it is somewhat to extremely important to integrate security into DevOps. They worry that failure to do so will lead to problems including:
- Increased costs (78 percent)
- Slower app delivery (73 percent)
- Increased security risks (71 percent).
Respondents also admit the process is not easy, although the obstacles vary depending on where an organization is in the process.
Before making the transition, enterprises predict the top challenges will be that:
- The organization structure prohibits integration
- They lack a champion for the transition
- The security team doesn’t really work well in a team environment.
For those organizations looking back after integrating security, the biggest roadblocks turned out to be:
- Takes too much time
- Security team resists the change
- Lack of relationship skills required to bring the two teams together.
Note the top challenge cited after integrating was that the transition took too long. Technical teams underestimate the challenge of integrating security into DevOps, thinking the integration will take less than a year (seven to 11 months). Those who claim to have completed the process say it took roughly twice as long—on average one to two years.
The DigiCert 2017 Inviting Security into DevOps survey points to four best practices to help balance development agility and information security to help create a predictable and reliable process:
Appoint a social leader: Identify a champion to drive cultural change including defining IT, security, DevOps roles and integrating teams.
Bring security to the table: Place a security lead on all DevOps initiatives and involve them from the beginning. Limit access, sign and encrypt everything within the network using automated PKI.
Invest in automation: Automate baseline security practices within DevOps workflow, including: certificate management, patching, vulnerability scanning, static code analysis.
Integrate and standardize: Implement controls on certificate management processes and integrate with server configuration and orchestration platforms to enable automated security behind the scenes.
“Agility and security are not mutually exclusive, and integration requires a combination of technology improvements, and a cultural shift in how technical staff is aligned,” said DigiCert CSO Jason Sabin. “The DevOps methodology is not just a method for increasing speed, but about improving efficiency, quality control and predictability in development outcomes. The right integration of security staff and technology, including digital certificates, can improve organizational metrics, avoid costly delays and improve the end-user experience.”