DevSecOps: Solving the Add-On Software Security Dilemma
The lack of standard practices in the DevOps communities is causing growing friction as security teams line up against developers. This internal friction leaves software they develop and organizations that use the apps vulnerable to attacks and breaches.
A report released Sept. 30 by open source security and license management company WhiteSource explores various factors contributing to the siloed software development culture and what steps are needed to achieve agile, mature, DevSecOps practices — which involves integrating IT security as a shared function among all DevOps teams.
The report shows feelings of increased pressure among software development teams to overlook security features to meet short development lifecycles.
That finding is especially significant in light of revelations that more than half of all developers polled in the report said they have either no secure coding training or only an annual event. Add to this lack of security training among software coders the finding that fewer than one-third of organizations have a defined, agreed-upon vulnerability prioritization process.
The DevSecOps Showdown
Perhaps an even more alarming dilemma is that on average just half of the organizations have an AppSec champion on their teams. More evidence of the security divide between teams is that even when security professionals say there is one, developers do not always agree, according to the report entitled “WhiteSource DevSecOps Insights, Security vs. Developers: The DevSecOps Showdown.”
“If developers feel they are neglecting security to stay on schedule, something in the DevSecOps process is broken,” warn the report writers.
WhiteSource surveyed over 560 application security professionals and software developers. Those results show that while most security professionals and developers believe that their organizations are in the process of adopting DevSecOps, most organizations still have a way to go, according to Rami Sass, CEO and co-founder of WhiteSource. The distance yet traveled is especially significant when it comes to breaking down the silos separating development at security teams, he noted.
“Full DevSecOps maturity requires organizations to implement DevSecOps across the board. Processes, tools, and culture need to evolve in order to break down the traditional silos and ensure that all teams share ownership of both security and agility,” Sass said.
Continue reading “DevSecOps: Solving the Add-On Software Security Dilemma”