A new report from TVP Strategy suggests that DevOps is failing to mitigate security flaws in code quality. The research also suggests ways for development teams to efficiently add automated security to continuous testing, without changing the role of the developer.
TVP Strategy, formerly known as The Virtualization Practice, is an analyst organization that reports on virtualization and cloud trends impacting today’s businesses. This week, it released findings from ongoing research where it determined that DevOps isn’t the best at identifying potential security flaws, especially when developers do not have the tools or security knowledge to actually fix the problems.
TVP Strategy began its research by thinking about how companies can mitigate business issues related to securely doing cloud, according to Edward Haletky, CEO and principal analyst at TVP Strategy.
The research also looked at how businesses are able to do testing at scale and as quickly as possible — not just functional testing, but security testing as well. The answer, according to Haletky, is to implement continuous testing. In other words, this means doing short- and long-term testing with the goal of getting feedback within the window of deployment.
“The idea is to run the test, continually in parallel so that [teams] have long- and short-term tests running all the time with the most important things scheduled first,” said Haletky. “And those most important things are coming from threat feeds.”
(Related Content: How to measure your DevOps initiatives)
TVP Strategy found that another area of DevOps that needs more attention is code quality metrics. Businesses need to measure the adherence of code to security, performance, and compliance policies using both automated static and dynamic processes, according to the company.
“Without that level of automation, without that level of testing and analysis, our current metrics are about how many bugs you close, and it’s not about how many bugs you create or the actual security of the code,” said Haletky.
TVP Strategy is trying to find solutions to allow DevOps to gain more control and for developers to gain control, which will allow them to have more visibility into the environment and make more intelligent decisions about security, according to Haletky.
There are multiple ways of mitigating security risks, including in the infrastructure, in the process and in the code. What TVP Strategy suggests is if developers have more visibility into the whole development and deployment process, they can determine what tests were overlooked, or what tests were not good enough.
Other areas of focus for TVP Strategy’s research include having business look at a single pool of data. Businesses interpret data differently than development teams, which can create some disconnect between development and operations, and TVP Strategy suggests adopting a methodology that provides the same view in order to enable the same interpretation, therefore removing ‘finger-pointing,’ according to the company.
Additionally, businesses should think about the cost of security flaws like API leakage because they can lead to significant losses for the business.
Haletky added that developers should be thinking about how to involve security in their agile cloud development processes or DevOps processes. Without a security mindset and the right tools giving them visibility, they won’t be able to actually fix the problems, according to Haletky.
“In talking to organizations, very few people have that mindset that are actual code developers,” said Haletky. “The other thing we found is you have to grow your security developers from within, you have to find the ones that are doing well and support them to do even better.”
One key takeaway from TVP Strategy’s research so far is that developers need to be cautious about how they use their API keys. The other takeaway is how developers are testing their environment, said Haletky.
This compilation of research is ongoing, but so far TVP Strategy presented some of the findings in a recent “Securely Implementing Cloud Native Applications” webcast and the final version of the first paper will be launched between VMworld Las Vegas and VMworld Barcelona.