6 Ways Mature DevOps Teams Are Killing It in Security
New survey shows where "elite" DevOps organizations are better able to incorporate security into application security.
March 19, 2019
The automation, stability of infrastructure, and inherent traceability of DevOps tools and processes offer a ton of security and compliance upsides for mature DevOps organizations.
According to a new survey of over 5,500 IT practitioners around the world, conducted by Sonatype, "elite" DevOps organizations with mature practices, such as continuous integration and continuous delivery of software, are most likely to fold security into their processes and tooling for a true DevSecOps approach.
Throughout the "DevSecOps Community Survey 2019," responses show that mature DevOps organizations have an increasing awareness of the importance of security in rapid delivery of software and the advantages that DevOps affords them in getting security integrated into their software development life cycle.
"The incorporation of security as part of the product development cycle is key," said Ariel Kirshbom of Ernst & Young, in response to one question about why DevSecOps is important to her organization. "To really embrace DevOps, security needs to be seamlessly integrated to the software development life cycle."
Most importantly, the study offers concrete statistical evidence that DevOps organizations are doing better in key areas including automating security functions, tracking components and changes for compliance purposes. They are also making faster headway on securing emerging infrastructure technologies like containers and container orchestration. Read on for more about why they excel.
Mature DevOps organizations are 350% more likely to integrate automated security throughout the software delivery process, from design to development, to build and test, to pre-release and into production. Only 7% of non-DevOps organizations do automated applications security analysis at design, compared with 22% of mature DevOps organizations that do it then. At build and integration, 38% of non-DevOps organizations use automated security analysis, compared with 74% of mature DevOps organizations. And in production, less than 20% of non-DevOps organizations use automated security tooling, while over 50% of mature DevOps organizations do so.
When done right, DevOps is much more open to getting security processes and tools embedded directly into the developer pipeline. Whereas 61% of non-DevOps organizations say their security tooling is completely separate from the developer pipeline, 78% of mature DevOps organizations fold security tools directly into the tools developers use to get all of their work done.
Securing the software supply chain by taking control over governance of open source components remains a challenge for all types of organizations. But the DevSecOps survey found that elite DevOps organizations are 117% more likely to manage software supply chains. Approximately 53% of mature DevOps organizations keep a complete software bill of materials, compared with 21% of non-DevOps organizations. Meantime, whereas only about 25% of non-DevOps organizations have an open source governance policy, 62% of elite DevOps organizations do.
While less than 20% of organizations with no DevOps practices use container-specific security tools, that shoots up to nearly 50% for elite DevOps organizations. This is critical considering the growth in containerization at organizations of all types in the past few years. According to the survey, only 9% of non-DevOps organizations have automated security and compliance checks in place for cluster tools like Kubernetes, but 40% of elite DevOps organizations do. Clearly both categories have room to grow, but mature DevOps organizations are much further along.
Elite DevOps organizations are 29% more likely to have incident response plans in place than their peers, with 81% of those mature organizations stating they have response plans, the survey shows.
"Elite DevSecOps practices have come to realize that breaches are an inevitable part of business and, as a result, are ensuring plans exist to help accelerate operations returning to normal following an incident," the report explains.
Elite DevOps organizations are 29% more likely to have incident response plans in place than their peers, with 81% of those mature organizations stating they have response plans, the survey shows.
"Elite DevSecOps practices have come to realize that breaches are an inevitable part of business and, as a result, are ensuring plans exist to help accelerate operations returning to normal following an incident," the report explains.
The automation, stability of infrastructure, and inherent traceability of DevOps tools and processes offer a ton of security and compliance upsides for mature DevOps organizations.
According to a new survey of over 5,500 IT practitioners around the world, conducted by Sonatype, "elite" DevOps organizations with mature practices, such as continuous integration and continuous delivery of software, are most likely to fold security into their processes and tooling for a true DevSecOps approach.
Throughout the "DevSecOps Community Survey 2019," responses show that mature DevOps organizations have an increasing awareness of the importance of security in rapid delivery of software and the advantages that DevOps affords them in getting security integrated into their software development life cycle.
"The incorporation of security as part of the product development cycle is key," said Ariel Kirshbom of Ernst & Young, in response to one question about why DevSecOps is important to her organization. "To really embrace DevOps, security needs to be seamlessly integrated to the software development life cycle."
Most importantly, the study offers concrete statistical evidence that DevOps organizations are doing better in key areas including automating security functions, tracking components and changes for compliance purposes. They are also making faster headway on securing emerging infrastructure technologies like containers and container orchestration. Read on for more about why they excel.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024