View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Software
April 25, 2018

Need for Speed Making DevOps Teams Sloppy on Application Security Testing

More haste, less speed, says Synopsys, as survey finds enterprise software release race means security is getting neglected

By CBR Staff Writer

DevOps teams are struggling to incorporate application security into their workflow.  That’s according to Synopsys, which just released a report detailing the lack of application security testing in over 50% of Continuous Integration/Continuous Delivery (CI/CD) workflows, following a survey of 350 IT decision makers across a range of industries.

The state of DevOps security

DevOps (Development Operations) has seen immense growth within the past few years due to its practicality for businesses, who can now streamline their Software Development Life Cycle and in some cases reduce their overheads. (DevOps is essentially bringing together operations and development engineers on a service lifecycle, from design through development, to production support).

The significant size of infrastructure involved in enterprise CI/ CD workflows, makes the scaling of DevSecOps (which bakes security into DevOps) even more complex and difficult, the authors highlighted, saying: “We found across industries only about half of CI/CD workflow implementations include any application security testing elements”.

Why are DevOps teams struggling?

There are a variety of reasons that DevOps teams are struggling, however the report highlights the top three causes as:

* Lack of automated, integrated security testing tools

* An inconsistent approach

* Security testing slowing things down

Content from our partners
Harnessing the power of low code and no code development
Signs your accounting software is no longer fit for your growing business
Incumbent banks must transform at speed, or miss the benefits of open banking

Speed seems to be a particular issues: the survey points to the increasing speed of enterprise software releases. Nearly half of respondents (49 percent) indicated code changes or releases were deployed in a matter of days; 22 percent said hours.

Synopsys said: “Even though the popular view is that security slows down software releases, we believe organizations can save themselves rework headaches and time by considering and injecting security early in the process and choosing security tools and elements that can be integrated and automated.”

What Kind of Security Testing?

Some 61% percent of respondents identified software composition analysis (SCA) and CVE scanning as the most critical elements of application security testing.

Synopsys said in the report: “We’re not surprised to see this pointed out as most critical given recent security incidents – including Heartbleed and the Apache Struts vulnerability that caused the Equifax breach – have highlighted potential risks, particularly in open source software. Nevertheless, with cloud computing, containers, microservices and other leading-edge technology, open source software is typically a significant and meaningful part of CI/CD pipelines and workflows.”

The reports authors added: “We would also highlight that even though composition analysis was perceived as the most critical element of DevSecOps, nearly 40% of our survey respondents reported use of no tool to find vulnerabilities in open source software in use, or that they didn’t use open source at all; a somewhat dubious claim given the prevalence of open source in today’s enterprise software releases.”

The General Consensus

DevOps does not appear to be slowing down, and firms will only continue to adopt this approach into their operations. Enterprises would benefit, Synopsys emphasises, from injecting security elements earlier in the software development lifecycle; most effectively at code commit. By supporting integration and collaboration that includes security elements and personnel, businesses could maintain the speed and scale of CI/CD releases, but do so in a secure manner that reduces risk and rework.

See also: Synopsys puts Black Duck on its bill in $565m acquisition

 

 

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU