When it comes to infusing security concerns into a DevOps culture, most organization still have a very long way to go. A global survey of 1,279 IT leaders conducted by the market research firm Freedom Dynamics on behalf of CA Technologies finds more than half of respondents (58 percent) cited existing culture and lack of skills as hurdles to being able to embed security testing and evaluation within software development processes. Only 24 percent strongly agreed that their organization’s culture and practices supported collaboration across development, operations and security.
More challenging still, less than a quarter of respondents strongly agreed that senior management would sacrifice time to market to make sure there is sufficient time to assess and repair software security vulnerabilities.
Chris Wysopal, CTO for the Veracode portfolio of security testing tools CA Technologies acquired last year, said the survey results make it clear many organizations are still wrestling with the concept of DevSecOps. Many of them may be far along the path to building a culture around DevOps, but more often than not, security teams haven’t been included in those processes, says Wysopal.
Because security teams are not included, many organizations wind up incurring substantial costs by having to address a much broader number of security updates to applications running in production environments. Organizations that have shifted security to the left as part of more comprehensive approach to DevSecOps discover and eliminate many more security issues during the development process.
Wysopal said the survey bears out those conclusions. The survey finds the top 34 percent of respondents who report their organizations have been able to fully integrate security into their software development life cycles view security as an enabler of new business opportunities. These organizations typically exhibited 50 percent higher profit growth and 40 percent higher revenue growth. They are also 2.6 times more likely to have security testing keep up with frequent application updates. Wysopal conceded there’s no direct correlation between better security and better overall corporate performance. But at the very least, the results indicate that organizations that invest more time in DevSecOps are not adversely impacting financial performance.
Organizations that embrace DevSecOps not only ship higher-quality software that reduces total cost of application ownership, they also typically are in a much better position to absorb the application update impact of unexpected security events such as Spectre and Meltdown flaws being discovered in processors. Because of the need to patch these flaws, most application update processes are now being stressed across the entire IT industry.
It remains to be seen what impact the need to quickly address these flaws will have on adoption of DevSecOps. Wysopal noted the old way of addressing security issues during a waterfall-based approach to application development simply don’t work in the age of agile development. IT security teams now need to work hand in glove with application developers. The challenge now, Wysopal said, is getting the leaders of those organizations to come to terms with the impact that change may have on the pace at which software is developed. But given the critical role software now plays in critical business processes, organizations soon will come to appreciate the need to better balance the speed of application development speed against all the potential risks involved.