View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 25, 2016

Firms struggling to secure software in the DevOps world, says HPE report

DevOps can help boost secure software development, as organisations can potentially find and remediate vulnerabilities more frequently and earlier in the application lifecycle.

By Ellie Burns

HPE has drawn focus towards the critical need for organisations to close the integration gap between security and DevOps with the publication of its Application Security and DevOps Report 2016.

According to the report, 99% of all respondents agree that adopting a DevOps culture has the opportunity to improve application security. However, only 20% are doing application security testing during development, and 17% are not using any technologies to protect their applications. This, HPE argues, highlights a significant disconnect between the perception and reality of secure DevOps.

“Our research shows that both security leaders and developers believe that the DevOps movement has the potential to significantly improve application security, but organizations are struggling to realize that potential so far,” said Jason Schmitt, vice president and general manager, HPE Security Fortify, Hewlett Packard Enterprise.

“By understanding the current state of DevOps and best practices for integrating security into the development culture, organizations can successfully secure software in this new DevOps world without impeding the speed and agility that it brings.”

devopsThe report highlighted a number of barriers which can hinder an organisation’s ability to realise the tremendous promise that DevOps holds for secure software development.

Firstly, a significant disconnect between developers and security teams was found to be a major organisational barrier – with even some respondents admitting to not even knowing their security teams. This led to 90% of security professionals stating that integrating application security has become more difficult since their organisations deployed DevOps.

At what will come as no surprise to those following the tech skills shortage, HPE found a major lack of security awareness, emphasis and training for developers. Out of more than 100 job postings for software developers at Fortune 1000 companies, none specified security or secure coding experience and knowledge as part of the skills required. This barrier then extends to the shortage of application security talent, with only one application security professional for every 80 developers in the organisations surveyed.

Content from our partners
Scan and deliver
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
GenAI cybersecurity: “A super-human analyst, with a brain the size of a planet.”
Cloud, AI, and cyber security – highlights from DTX Manchester
Cloud, AI, and cyber security – highlights from DTX Manchester

The lack of security personnel, along with the increasingly rapid development cycle make secure development extremely difficult.

john meakin

John Meakin, Group Information Security Officer, Burberry.

“Adopting a DevOps process can help make applications more secure, since the development and production environment are built the same way and to the same security standards and testing,” said John Meakin, Group Information Security Officer, Burberry.

“However, it requires a commitment across the organization to prioritize security, and incorporate more automated testing solutions that make it easier to gather real-time feedback and remediate vulnerabilities throughout the development process.”

In order to tackle the barriers detailed in the report, HPE made three recommendations:

 

  • Security should be a shared responsibility across the organization to eliminate barriers. Security must be imbedded throughout every stage of the development process, with executive support and metrics to hold teams accountable for secure development. These metrics should focus on mean-time-to-triage (MTTT), mean-time-to-fix (MTTF), and program compliance.

 

  • Bridge awareness, emphasis, and training gaps by making it seamless and more intuitive for developers to practice secure development. Organizations should integrate security tools into the development ecosystem to allow developers to find and fix vulnerabilities in real-time as they write code. This makes it easy and efficient to develop securely, and educates the developer on secure coding in the process.

 

  • Leverage automation and analytics as application security force multipliers. Organisations should leverage enterprise-grade application security automation with analytics built in to automate the application security testing audit process and allow their application security professionals to focus only on the highest priority risks. This reduces the number of security issues that require manual review, saving both time and resources, while lowering overall risk exposure.

Topics in this article : , ,
Websites in our network
The New Statesman Press Gazette Spears World of Fine wine Elite Traveler Leadmonitor
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU