Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:18 PM
Connect Directly

As DevOps Accelerates, Security's Role Changes

There remains a disconnect between developers and security teams, with uncertainty around who should handle software security.

DevOps adoption rates have increased, with 25% of companies reporting three to five years of practice, and another 37% reporting one to three years. The jump has accelerated development but driven what researchers call "a clear disconnect" between developers and security teams.

As part of its 2020 Global DevSecOps Survey, GitLab researchers polled more than 3,650 people on their DevOps successes and challenges. They learned the accelerating adoption of DevOps in general and implementation of new tools has led to changes in job functions and tool choices, as well as organizational charts within the developer, security, and operations teams.

"One of the biggest changes is a majority of respondents indicated that even today their roles are changing dramatically," says Jonathan Hunt, vice president of security with GitLab. "Over 60% of developers indicated they feel their role is changing and about 80% of security teams feel their roles and responsibilities are changing as well, with respect to DevSecOps strategy." 

No longer is DevSecOps a futuristic concept or cutting-edge strategy people don't know much about, Hunt adds. Businesses are subscribed to the idea that DevOps and DevSecOps provide a significant advantage into developing code faster and identifying vulnerabilities sooner. These thoughts are echoed in a Dark Reading study focused on secure application development: 75% of organizations surveyed credit their development team with being knowledgeable about application security, and 70% say security is involved in their software development efforts.

Many organizations continue to experience a disconnect between developer and security teams. Dark Reading data shows 30% of developers are promoting code without security's involvement, and 30% of respondents consider the relationship between the teams as "neutral," "poor," or "nonexistent." More than 25% of developers in GitLab's study feel solely responsible for security, compared to 23% of testers and 21% of operations pros. Roughly one-third of security pros say they own security; 29% think everyone should be responsible for it.

Shifting Left

Nearly 75% of GitLab respondents say they have shifted testing left, meaning it's closer to the development process. Security is a tricky subject "no matter where you sit in a development organization," researchers note in their report. Nearly 40% of respondents rate their security efforts as good, while nearly 30% describe theirs as fair, and 20% as strong. 

Security pros are experiencing changes in their day-to-day responsibilities as security becomes a higher priority. Nearly 28% say they're part of a cross-functional team focused on security, and 27% say they were more hands-on and involved in daily development activities. Most (65%) of security pros say their organization is bringing security into the development process earlier.

"I think the organizations are ready, and developers are ready, to take on more responsibility and participate in shared responsibility of security, but they need the tooling and guidance to do so," says Hunt. Data indicates both guidance and tooling is lacking, he continues, and right now "it's very indicative they may not know what tooling is needed," he adds.

Why Security Testing Is Tricky

Security testing remains a significant source of frustration for infosec teams. More than 42% say it happens too late in the development lifecycle; 36% say it's difficult to understand, process, and fix any vulnerabilities discovered. More than 30% describe prioritizing vulnerability remediation as an "uphill battle," and nearly 30% say it's hard to find someone to fix the bugs.

Even though most organizations perform code reviews, only 25% of vulnerabilities are caught prior to production, Hunt points out. Part of the reason, he says, is a lack of accountability.

"On average, developers are not evaluated or rated against the quality of code they produce but for the amount of code they produce," he says. "This leads to shortcuts and inattentiveness to code quality which leads to the growth of bugs and vulnerabilities being produced."

Another factor is lack of training: there are more than 600 categories of flaws, Hunt notes, and those doing code reviews are unlikely to have experience in detecting most vulnerabilities. There is also lack of automation with the right tooling. Most code reviews are manual or check-the-box requirements because PCI or another framework mandates it. "There are a number of SAST/DAST tools that can be integrated into CI/CD pipelines that will do a relatively good job at identifying vulnerabilities and your level of risk prior to production push," Hunt explains.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/25/2020 | 7:36:39 AM
Thanks you for sharing.
Thanks you for sharing.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.