Organizations Want to Adopt DevSecOps. What’s Getting in Their Way?
Security leaders are eager to move to a DevSecOps approach—and why wouldn’t they be? DevSecOps has been emerging as a key component in organizations’ efforts to build strong security into all the software products they deliver.
The adoption and implementation of the DevSecOps methodology involves multiple facets of organizations and brings together security and development professionals in a collaborative mission to deliver products that are both high in quality and secure.
Organizations have adopted DevSecOps for a number of reasons, according to a recent survey of 634 IT and security leaders by Ponemon Institute. The most commonly cited in the research, sponsored by Rezilion, were to improve the collaboration between development, security and operations; and to reduce the time to patch vulnerabilities (each cited by 45% of the respondents).
Other reasons for adoption are to automate the delivery of secure software without slowing the software development cycle (41%); to eliminate duplicative review and unnecessary rebuilds (40%); to reduce the cost and time to fix the code (40%); and to have a centralized approach to code review (39%).
Unfortunately there are multiple factors getting in the way of effective or advanced DevSecOps adoption. According to the Ponemon research, the lack of the right security tools is the primary roadblock to having an effective DevSecOps, cited by 54% of the respondents.
This challenge is followed by a lack of workflow integration (53%); the growing vulnerability backlog (52%); growth in application security vulnerabilities (43%); and insufficient budget (36%). Less common responses include lack of effective testing tools, lack of automation, and lack of security training.
The organizations facing these and other challenges need to address them, because DevSecOps is fundamental for ensuring that security is part of the entire software development process.
As the report notes, “at the heart of having a successful vulnerability management program is alignment between DevSecOps and the development team in being able to achieve both innovation and security when delivering products.”
The study defines DevSecOps as the automation of the integration of security at every phase of the software development lifecycle—from initial design through integration, testing, deployment and software delivery.
All of the organizations represented in the study are either planning or have planned their DevSecOps to improve security in the development of applications. However, only 29% of them said they have reached a mature stage, with DevOps fully transitioned into DevSecOps and security integrated at every phase of the software development lifecycle.
Many more (40%) are in the middle stage with DevSecOps, having planned and defined a DevSecOps approach and begun integrating security into the software development lifecycle. And 31% are still in the early stage, just beginning to plan a DevSecOps approach.
For those that have not advanced in DevSecOps maturity, the time to act is now. Software vulnerabilities can lead to serious security incidents that can impact multiple organizations. With software such an integral component of digital business, organizations can’t afford to take a lax approach to building security controls into their products.
Read the full report: The State of Vulnerability Management in DevSecOps.