Reality and perception of secure DevOps are two different worlds

Adopting a DevOps culture can mean more secure apps - but are we really striving towards it?

Pretty much all IT operations professionals (99 per cent) agree – adopting a DevOps culture can improve application security. This is according to a new report by Hewlett Packard Enterprise.  

The report, entitled Application Security and DevOps Report 2016, also emphasises that just a fifth (20 per cent) of respondents test their application’s security during development, and 17 per cent are using no technologies whatsoever to protect their apps. The conclusion of the report is simple – there is a significant disconnect between perception and reality of secure DevOps.  

“Our research shows that both security leaders and developers believe that the DevOps movement has the potential to significantly improve application security, but organizations are struggling to realize that potential so far,” said Jason Schmitt, vice president and general manager, HPE Security Fortify, Hewlett Packard Enterprise.  

“By understanding the current state of DevOps and best practices for integrating security into the development culture, organizations can successfully secure software in this new DevOps world without impeding the speed and agility that it brings.” 

HPE says implementing DevOps means more secure software development, but there are barriers in the way. The biggest issue is that developers and security teams often don’t work together – some dev teams have even admitted to not knowing who the security folks in their organisation are.  

Also, there is a lack of awareness, emphasis and training for developers, and finally, there is a serious shortage of application security talent.

“Adopting a DevOps process can help make applications more secure, since the development and production environment are built the same way and to the same security standards and testing,” said John Meakin, Group Information Security Officer, Burberry.  

“However, it requires a commitment across the organization to prioritize security, and incorporate more automated testing solutions that make it easier to gather real-time feedback and remediate vulnerabilities throughout the development process.”