New Survey Reveals the Benefits of Integrating Security and DevOps

By Dan Timpson, CTO at DigiCert

DevOps might be the best thing to happen to application security. Although, admittedly, some IT security professionals may not feel that way. First, organizations started connecting their systems and employees to the Internet. Then the introduction of the smartphone launched the BYOD trend, followed by the maturation of cloud computing-based applications and services. These developments created significant new security risks. Today, enterprises are adopting a DevOps philosophy to increase their application development agility, which creates more risk if security is not brought to the table and included in planning from the beginning. On the surface it may seem that security is in a tough place, imposing policies that slow app development and can be bad for business. Yet, DevOps presents an opportunity for security to add value like never before.

The new DigiCert 2017 Inviting Security into DevOps survey demonstrates this opportunity, finding that a majority of enterprises are trying to speed up application development and improve security by integrating their security teams into their existing DevOps methodology. Or at least, they’re trying to.

“The last thing you want is to be in the Boston Globe due to a major security breach,” said one respondent who serves as an IT Director for a large Boston-based government department.

DigiCert polled 300 senior management professionals within IT, DevOps and Security teams with small, medium and large organizations that have already implemented a DevOps posture.

Respondents noted that the top three dangers of operating security outside of DevOps were:

1. Increased costs (78 percent)
2. Longer delivery cycles (73 percent)
3. Increased security risk (71 percent).

Underscoring the security risk, 59 percent of the respondents say they sometimes or often have rogue digital certificates (for example, certificates that DevOps purchased, but neglected to tell anyone in Security about, causing problems when they expire).

98 percent of respondents say they have made integrating their security teams into their existing DevOps methodology a priority. The market stands at a tipping point. About half (49 percent) are working on doing so, and the other half (49 percent) say they have completed the process.

The majority also report the process is not easy. They cite challenges such as underestimating the amount of time required, and overcoming the cultural differences among security, IT and DevOps roles. These issues appear to vary depending on where an organization is in the process.

Before making the transition, enterprises predict the top challenges will be that:

– The organization structure prohibits integration
– They lack a champion for the transition
– The security team doesn’t really work well in a team environment

But for those organizations that have completed the process, the biggest roadblocks were:

– Takes too much time
– Security team resists the change
– Lack of relationship skills required to bring the two teams together.

Note how the top challenge varies between the two groups. Technical teams begin the process with the goal of reaching completion in seven-11 months. Yet, those who claim to have completed the process report it actually required at least a year, or even two.

The key takeaway is that it however long it takes, the end result pays off. Those who have completed this integration are much more likely to report success in both security and agility.

– 22 percent more likely to report they are doing well with information security
– 21 percent more likely to report doing well meeting app delivery deadlines
– 21 percent more likely to report doing well at lowering app risk

There are four key steps an enterprise can take to balance faster and predictable app development, agility, cost and control, while also integrating security into the process:

1. Appoint a Social Leader: Identify one person who will drive cultural change by clearly defining IT, security, DevOps roles and integrating the disparate teams.
2. Bring Security to the Table: Place a security lead on all DevOps initiatives and involve them from the beginning. Limit access, and implement automated PKI to require signing and encrypting everything within the network.
3. Invest in Automation: Automate baseline security practices within DevOps workflow, including: certificate management, patching, vulnerability scanning, static code analysis.
4. Integrate and Standardize: Implement controls on certificate management processes and integrate with server configuration and orchestration platforms to enable automated security behind the scenes.

Agility and security do not have to be (and should not be) mutually exclusive. Successful companies are combining technology improvements with a cultural shift in how technical staff is aligned. The right integration of security staff and technology, including PKI, can improve organizational metrics, avoid delays or cost increases, and help prevent data breaches.