The rise of DevSecOps has stressed the importance of shifting security left in order to provide better protection. A recently released report, though, found shifting left isn’t enough. In order for security to be viewed as more than just an extra step, it needs to be built into the entire life cycle.

Puppet, CircleCI and Splunk announced the release of the 2019 State of DevOps Report, which surveyed nearly 3,000 technical professionals.

RELATED CONTENT: For effective DevSecOps, shift left AND extend right

“It’s true that everyone should care about the security of the application or service they’re building, but people will continue prioritizing the work that’s right in front of them unless they are incentivized to do things differently. That’s why security needs to be prioritized from the top of the organization. That’s also why it needs to be built into the entire software delivery lifecycle,” the report stated. 

According to the report, the most advanced DevOps cultures are ones where security teams are involved all throughout technology design and development, and incident responses are automated. Additionally, the more security is integrated throughout the entire life cycle, the better delivery teams are able to respond to problems. 

“Firms at the highest level of security integration are able to deploy to production on demand at a significantly higher rate than firms at all other levels of integration — 61 percent are able to do so. Compare this with organizations that have not integrated security at all: Fewer than half (49 percent) can deploy on demand,” the report stated.

Where the problem lies is “in the middle.” Respondents revealed they experience the most friction and frustration during the middle states of development because this is where things start to become more complex. The report explained this friction slows down delivery and increases audit issues. However, the report did find that teams that continue to share and collaborate during this stage will see faster results and be able to refine their processes. 

“To progress out of the middle stages, you should focus on measuring both business outcomes and metrics that show how day-to-day toil is being reduced and alleviated (planned vs. unplanned work, deployment pain, Severity 1 incidents, etc.). Being able to visualize your progress when things still seem hard can be a powerful motivator, and just as important, can make it much easier to see what should come next, thus leading you forward,” the report stated. 

The report also found five best practices for improving security:

  1. Having security and development teams collaborate on threat models
  2. Integrating security tools throughout the development integration pipeline so engineers can be confident security problems aren’t being introduced into the codebase
  3. Prioritizing security requirements, both functional and non-functional, as part of the project backlog
  4. Evaluating automated tests, and reviewing changes in high-risk areas of the code
  5. Reviewing infrastructure-related security policies before deployment 

“The DevOps principles that drive positive outcomes for software development — culture, automation, measurement and sharing — are the same principles that drive positive security outcomes,” said Alanna Brown, senior director of community and developer relations at Puppet and author of the State of DevOps report. “Organizations that are serious about improving their security practices and posture should start by adopting DevOps practices.”

Other findings included security doesn’t have to take a back seat to feature delivery; time to remediate vulnerabilities doesn’t dramatically decrease at higher levels of security integration; and the more security is integrated the more teams feel a shared responsibility. 

“It was interesting to discover it doesn’t matter how your teams are structured, so long as you have someone focused on security collaborating closely with development, test, and operations teams throughout the software delivery lifecycle. You don’t need to have purely autonomous project teams that report to the same person, or that are even in the same department. What matters most is everyone working together towards the common goal of making the software more secure,” said Nigel Kersten, field CTO at Puppet.