The DevOps community is struggling with bringing security into the organization and across the software development life cycle (SDLC). However, new research from Sonatype reveals that while companies continue to face breaches, mature development organizations finally realize how critical it is to weave automated security early in the SDLC.
Sonatype, a software automation and security company, received feedback from more than 2,000 IT professionals for its 2017 DevSecOps Community Survey. After analyzing the responses, Sonatype found that IT organizations described their DevOps practices as very mature or of improving maturity (67%), with 47% of traditional development and operations teams reporting that security teams and policies are slowing them down.
Traditionally, security teams sat outside of development and operations, and security experts say it has been treated as a “bolt-on process,” where it gets added in after development. According to Sonatype vice president and DevOps advocate Derek Weeks, security is now being addressed earlier on during development.
The biggest surprise from the survey results was the dramatic difference in security automation from 2014 until now, due primarily to organizations who have more mature DevOps practices. Weeks said that according to this year’s survey, 58% of mature DevOps teams have automated security as part of continuous integration practices.
He said that this delivers a few messages to the DevSecOps community. First, the evolution towards automated security early and everywhere has already happened. The second message is for those that are somewhat doubtful or resistant to security being built into the DevOps native world, he said. The survey did find that some companies are resisting DevSecOps, with 58% of respondents claiming security is an inhibitor to DevOps agility.
RELATED CONTENT: The DevOps transformation: How to get there and who to follow
“[This survey] shows a lot of evidence that those who choose to pursue [DevSecOps] achieve it,” said Weeks.
He said he was also pleasantly surprised by the amount of automated security being adopted across the lifecycle. According to the survey, when asked about the point in which organizations perform application security analysis, 49% responded with during QA/testing, 45% said prior to releasing into production, and 27% said all of the above, which includes everything from design and architecture stages up until the software is in production.
Companies that said they were a highly mature DevOps company for automated security were asked the same question, and while 57% responded with performing application security analysis prior to releasing into production, 42% said that they perform an analysis across all stages of the software development lifecycle.
Respondents were also asked if they implemented good version control practices and tools to maintain clear accountability and traceability for all applications deployed into production. According to the results, 44.6% of respondents agree, and 37.5% somewhat agree.
Additionally, IT professionals were asked if their organization has an open-source governance policy or rules about using good and bad components in software. The number that said they did have open-source governance policies stayed the same (57% said yes in both 2014 and 2017), but Weeks said that while this number didn’t change, the number of breaches increased over that same time period.
The survey asked respondents if their organization had a breach due to a vulnerability in an open-source component or dependency in the last 12 months. In 2014, 14% of respondents suspected or verified that there was an open-source breach, and this year, that number increased to 20%.
So while the rules and policies of open-source components stayed the same, the breaches attributed to open-source component vulnerabilities increased. Weeks said this shows a need for organizations to have more rules and policies in place for adopting open-source software.
Weeks said the overall analysis points out how important security is in a DevOps native world, but it can be easy for companies to achieve across the entire lifecycle. For the companies that are struggling, they can look towards these companies in the market that are actually implementing application security across the entire lifecycle, and learn from their best practices.
Companies can also talk to these companies to see what they are doing in this space, and how their organization is utilizing application security automation tools and solutions, said Weeks.