Devops has become common in software-development organisations around the world, but many companies are still struggling with cultural issues that are dampening security practitioners’ influence in the devsecops practices crucial for next-generation cloud application development.
When it’s done well, devops is driving dramatic change—with GitLab’s recently released 2021 devsecops survey of nearly 4,300 respondents finding that the COVID-19 pandemic had “energised teams to focus on embracing cutting-edge devops technologies” including Kubernetes, artificial intelligence, machine learning, and cloud computing.
Broader adoption of devops-related capabilities had sped up software development, with 84 per cent of developers saying they are releasing new software faster than ever—and one in five saying they are releasing new code 10 times faster, the GitLab survey showed.
The challenges of adopting devsecops
Yet while developers had naturally warmed to new and faster development processes, this new speed was creating paradoxical challenges around the adoption of devsecops, which is still seen by many as obstructing speed of delivery even though security mandates have become more important than ever. “In the past year, devops matured and fully arrived with these technology adoptions,” the report noted, “but there are still roadblocks to navigate before achieving true devsecops.”
Security testing remains an obstacle, with 42 per cent of respondents to the GitLab survey saying security testing was happening too late in the development process. A similar proportion said they found it difficult to process and fix security vulnerabilities.
Nonetheless, 72 per cent of surveyed security professionals said their organisations were putting in either “good” or “strong” efforts around security—up from 59 per cent the year before.
With lingering confusion over issues like who is in charge of security, GitLab vice president of security Johnathan Hunt said, “a more clear delineation of responsibilities and adoption of new tools is required to completely shift security left.”
Long-standing challenges in devops persist in devsecops
The report validates predictions by analyst firm Gartner, which in 2020 predicted that 75 per cent of devops initiatives would fail to meet expectations due to ongoing issues around organisational learning and change.
A recent survey by cybersecurity vendor Vectra AI of 317 IT executives identified some of the most problematic issues, with nearly one-third of surveyed companies still having no formal sign-off on new software versions before pushing them into production.
With 64 per cent of companies deploying new services weekly or even more frequently, this lack of security review threatens overall security, Vector AI said, warning of “blind spots” that were only getting larger as companies expanded their investments in cloud platforms. “The cloud has expanded so much that securely configuring it with continued confidence is nearly impossible,” the company said, noting that “risk exponentially increases as more people are granted access to the [cloud] environment.”
Interestingly, some regions are feeling the drag more than others. Just 37 per cent of Asia-Pacific respondents to Puppet’s 2021 State of Devops Report, for example, said culture was a barrier to the evolution of devops practices in their organisation—well below the 47 per cent global average—while 23 per cent said that technology was more of an issue.
A “very specific set of challenges” were seen as cultural factors impeding progress to devops—including cultures that discourage risk, have unclear responsibilities, deprioritise fast flow optimisation, and fail to include sufficient feedback loops. All create an accumulation of issues over time, potentially causing stagnation that causes many organisations to plateau after only completing part of their devops transformation.
There are two different schools of thought around devsecops, the Puppet report noted. Some people say that the term shouldn’t exist because security is fundamental to both development and operations. Others see it as “an explicit call to action to start including security from the beginning of the software development life cycle,” the report noted.
“For many organisations, the relationship between the security function and the design part of software development was even more distant than that between development and operations,” the report noted. “Symbols and labels can be a powerful way to drive change.”
Fully 51 per cent of companies with highly developed devops cultures reported integrating security into requirements, while security was also being integrated into the design (61 per cent), build (53 per cent), and testing (52 per cent) stages of the software development life cycle.
Companies with less-mature devops practices reported less security rigor, with 48 per cent engaging security for scheduled audits of production and 45 per cent doing so when there was an issue reported in production.
The figures, the Puppet report concluded, confirm that “good security practices and better security outcomes are enabled by devops practices. As devops practices improve, devsecops naturally follows.”