Common Goals are Essential for Successful DevSecOps
At the heart of having a successful vulnerability management program is alignment between development, security, and operations teams (dubbed DevSecOps) in being able to achieve both innovation and security when delivering products—the ultimate end game. This requires having a common set of goals. Without them, or if teams don’t communication well or collaborate, any DevSecOps initiative will all be for naught.
By now, all organizations have either adopted DevSecOps or are in the process of adopting a DevSecOps approach, according to a new report by Ponemon Institute on behalf of Rezilion. The findings are based on a survey Ponemon Institute conducted over the summer of 634 IT and IT security practitioners who are knowledgeable about their organizations’ attack surface and effectiveness in managing vulnerabilities.
What All This Fuss About DevSecOps?
DevSecOps broadens the collaboration between development and operations teams to integrate security teams into the software delivery cycle so that security processes are introduced sooner and built into every stage of the delivery process.
The two primary reasons to adopt DevSecOps are to improve the collaboration between development, security, and operations and reduce the time to patch vulnerabilities, according to 45% of respondents. In addition to improving collaboration and reducing time to patch, 41% say it automates the delivery of secure software without slowing the software development cycle (SDLC).
This all sounds great, but in reality, the relationship between DevSecOps and operations remains dicey. Only 47% of respondents say their organizations’ development team delivers both an enhanced customer experience and secure applications, the Ponemon report revealed.
And despite the benefits, the numbers on DevOps initiatives remain somewhat low. Fifty-one percent of respondents say they have some involvement in their organization’s DevOps activities. Fifty-two percent of these respondents say they are involved in vulnerability management and 49% say they are involved in application security, according to the report.
The research also shows the lack of the right security tools is the primary barrier to having an effective DevSecOps strategy.
Security Isn’t Simpatico with Dev
To make matters worse, overall, teams are not on the same page when it comes to security. Slightly more than half (55%) of development engineers, product security teams, and compliance teams are aligned to understand their organization’s security posture and each other’s area of responsibilities to deliver secure products, the Ponemon research found.
Further, 53% of respondents “are concerned that the lack of visibility and prioritization in DevOps security practices puts product security at risk.”
And only 47% of respondents say their development team is able to deliver both an enhanced customer experience and secure applications.
Why Collaboration is Essential For DevSecOps to Work
The findings indicate that something needs to change. Implementing a DevSecOps infrastructure starts with a culture shift, with security at the center of development. You also can’t establish common goals without communication and collaboration.
This leads to the ability to accomplishing short-term goals. However, IT best practices are always evolving, and teams need to be flexible and adaptable as they consider the future. To foster collaboration, consider changing the focus from a project to a product mindset. This will help all cross-functional team members think differently as they work to support a common set of metrics and goals throughout every step of development.
The goals can be broad, like “deliver a secure and stable product at every release,’ or more granular, like “add several identity verification features while ensuring GDPR compliance is met.’’
Since not having the right security tools is impeding an effective DevSecOps strategy, another goal could include consolidating tools so that development and security can collaborate within a common interface.
Regardless of what the goals are, it’s up to management to make it clear that employees across all functions are working together to achieve the same thing – and that the cross-functional team will be evaluated as a whole.
It’s important to note that when teams communicate and share information, there are rarely project delays and vulnerability management and remediation end up costing less.
DevSecOps transformation doesn’t happen overnight. Implementing this infrastructure takes time and resources, and sometimes, third-party support. But at the outset, leadership must lay the foundation for what the organization wants to achieve and how teams can do that working together.
This will help teams adapt to the DevSecOps operating model more effectively and efficiently. The results are worth it and will lead to a more communicative, collaborative, and productive IT operation, and ultimately, more customers.
Read the full report, The State of Vulnerability Management in DevSecOps, today.