4 Barriers to DevSecOps Adoption
DevSecOps is a process that aims to build security in at the outset of software development. It ensures security audits and testing throughout the agile development process so that security is a priority – not an afterthought.
A new survey of more than 1,000 security leaders conducted by Ponemon Research and security firm Reliaquest finds almost half (49%) of security leaders are enabling DevSecOps best practices in their organizations. That’s a promising number. But with the obvious benefits that come with ensuring secure software development, why aren’t more organizations on board with DevSecOps yet?
Some of the barriers for adoption of DevSecOps are organizational, and others are cultural. There are a number of challenges that keep DevSecOps from taking off.
Friction Between Teams
There is a long-standing tension between developers and security teams in organizations around the world. DevOps wants to write code and push new products to innovate and stay competitive. Security teams want to ensure applications are secure and unexploitable so that their organization stays safe. These two desires often collide as DevOps wants to keep moving and security is seen as a bottleneck to their progress. This friction and disparate goals can lead to lack of collaboration and distrust.
Lack of Understanding
Security and DevOps aren’t trying to get in one another’s way. There is a fundamental lack of understanding of the other team’s goal. DevOps often lacks awareness about security issues and the impact that security vulnerabilities can have on an environment. They may see security “gatekeepers” as simply a nuisance when, in fact, unpatched vulnerabilities can be exploited and lead to a devastating breach.
The current cost of a breach according to Ponemon is $3.86 million.
Even if you have a DevOps team that is invested in security, the manual patching required once vulnerabilities have been surfaced with scanners can take unrealistic amounts of time to manually patch.
Understanding the actual attack surface, instead of a perceived attack surface, is key here. Many vulnerabilities do not require manual patching, so the ability to identify and prioritize the ones that do require patching can significantly reduce this manual effort.
Lack of Proper Tools
DevOps and Security teams need the right tools and training in order to truly implement a DevSecOps program. An annual study that looks at the differences between organizations with mature DevSecOps practices and immature programs finds that the happiest developers are 2.3 times more likely to be using automated security tools. Mature DevOps teams properly integrate automated security tools almost two times more often than immature development practices, according to the research.
What DevSecOps teams need are tools that can be deployed in development (CI) and operations (Ops/Production) domains and that offer full stack coverage to get rid of these silos and unite their missions into one.
Break Down Barriers to DevSecOps
It’s clear that DevSecOps is a growing movement more organizations are embracing to ensure secure software development at the beginning of the process and throughout. But there is still a lot of work to do to get everyone to a place of agile security and trust in motion between teams. With the right tools, and an investment in helping teams understand the other’s mission, a successful DevSecOps program can be implemented.