The research highlights that a strong DevOps culture based on collaboration and sharing across teams leads to an improved security posture. Twenty-two percent of the firms at the highest level of security integration having reached an advanced stage of DevOps maturity compared to only 6 percent of the firms with no security integration. Additionally, the report found that Europe is pulling ahead of the US and the Asia Pacific regions when it comes to firms with an overall ‘significant to full’ integration status, with 43 percent as opposed to 38 percent or less.
“The DevOps principles that drive positive outcomes for software development — culture, automation, measurement and sharing — are the same principles that drive positive security outcomes. Organisations that are serious about improving their security practices and posture should start by adopting DevOps practices,” said Alanna Brown, Senior Director of Community and Developer Relations at Puppet and author of the State of DevOps report. “This year's report affirms our belief that organisations who ignore or deprioritise DevOps, are the same companies who have the lowest level of security integration and who will be hit the hardest in the case of a breach.”
Key findings from the report:
● Security doesn’t have to take a back seat to feature delivery. Firms at the highest level of security integration are able to deploy to production on demand at a significantly higher rate than firms at all other levels of integration — 61 percent are able to do so. Compare this with organisations that have not integrated security at all: Fewer than half (49 percent) can deploy on demand.
● Cross-team collaboration builds confidence in an organisation’s security posture. Eighty-two percent of survey respondents at firms with the highest level of security integration said their security policies and practices significantly improve their firm’s security posture. Compare this with respondents at firms with no security integration — just 38 percent had that level of confidence.
● The more security is integrated into the software delivery lifecycle, the more delivery teams see security as a shared responsibility. Firms integrating security throughout the lifecycle are more than twice as likely to be able to stop a push to production for a medium security vulnerability to ensure their customers are protected from the risk or releasing insecure code.
● Security integration is messy, especially in the middle stages of evolution. In these middle stages, security and delivery teams experience higher friction while collaborating, software delivery slows down, and audit issues both increase and require immediate attention. Friction is even higher for respondents who work in security jobs than those who work in non-security jobs. But, if they stick with it, they will reap the rewards of that hard work and start seeing quicker results — 79 percent of the companies surveyed were in this stage.
“It shouldn’t be a surprise to anyone that integrating security into the software delivery lifecycle requires intentional effort and deep collaboration across teams,” said Michael Stahnke, VP of Platform Engineering, CircleCI. “What did surprise me, however, was that the practices that promote cross-team collaboration had the biggest impact on the teams’ confidence in the organisation’s security posture. Turns out, empathy and trust aren’t automatable.”
“This year’s report reinforces Splunk’s belief on how important it is to take a collaborative and integrated approach to service delivery,” said Andi Mann, Chief Technology Advocate, Splunk. “The 2019 State of DevOps Report proves that aligning Development, IT Operations, SRE, Incident Response, Security, and Business Analytics teams across organisations enables all stakeholders to deliver improved, more secure software services.”
Best Practices
Firms that have integrated security at all stages of delivery collaborate early, often and most importantly, deeply. The survey revealed the top five practices that improve security posture are:
● Security and development teams collaborate on threat models.
● Security tools are integrated in the development integration pipeline so engineers can be confident they’re not inadvertently introducing known security problems into their codebases.
● Security requirements, both functional and non-functional, are prioritised as part of the product backlog.
● Security experts evaluate automated tests and are called upon to review changes in high-risk areas of the code (such as authentication systems, cryptography, etc.).
● Infrastructure-related security policies are reviewed before deployment.