DevOps is one of the emerging trends among the organizations who are looking to tear down silos in integration and delivery of development approaches. The organizations are building DevOps teams and executing continuous integration (CI) and continuous delivery (CD) workflows to improve their time to market.
However, the approach of implementing application security and security testing tools in the development environments is not so well understood. A recent report by 451 Research and Synopsys, DevSecOps Realities and Opportunities, revealed that only 50% of the CI/CD workflows included application security testing tools, even when the organizations were aware about importance and advantages of doing so.
Synopsys surveyed 350 IT decision makers at large enterprises and found that most of the organizations aren’t integrating security at code commit and in pre-implementation process.
“While some DevOps teams are starting to incorporate application security into their CI/CD workflows, driven by factors such as improved software quality, compliance, and risk avoidance, there is ample room for improvement,” said Jay Lyman, principal analyst at 451 Research. “In many cases, security testing is not being integrated often or early enough in the process for organizations to fully benefit from reduced risk and rework headaches.”
4 key takeaways from DevSecOps Realities and Opportunities report:
Frequency in code changes increasing
The speed of enterprise software releases is on the rise. DevOps teams are releasing software faster, working with large-scale infrastructures and making significant code changes in each release.
49% of the organizations said that they deployed code changes or releases in a matter of days, while 22% deployed in weeks, followed by another 22% organizations who deployed within hours.
The more frequent changes in the coding require more testing. 67% of the organizations said that they pushed significant amount of code changes in CI/CD workflows. Whereas, 17% pushed large and complex changes, closely followed by 16% who mentioned small and simple changes.
Deployment without strategy causes complexities and difficulties in implementing DevSecOps
63% of organizations expected at least four times faster deployment from their CI/CD implementations. However, such deployments without a clear and informed strategy can make the scalability of application security testing within processes more complex and difficult.
Furthermore, the organizations who support on-premises and hosted deployments together increase their complexities. 41% of respondents preferred a mix of on-premises and hosted software for integrating security in CI/CD workflows, whereas, 37% indicated preference for licensed software.
Only 49% organizations committed to secure DevOps
The report highlights that there is an ample room for improvement for integrating security testing elements in CI/CD workflows, as only 49% of organizations indicated that their CI/CD workflows included those elements.
Software composition analysis (SCA) and CVE scanning were cited as the most critical security testing elements.
Lack of automation and consistency: Top DevSecOps challenges
According to the report, the lack of automation and consistency, reduced speed and noise of false positives are the primary challenges of DevSecOps. The respondents believed that integration of automation tools early in software development cycle can positively impact the speed and overall quality and security of software.
When asked when application security should be integrated with CI/CD workflows, 67% indicated at the time of committing code, while 44% indicated on the fly while coding.
“DevSecOps presents an opportunity to make application security part of the cultural and technological fabric of modern, high-velocity development and deployment models,” said Andreas Kuehlmann, general manager of the Synopsys Software Integrity Group. “This study highlights many of the opportunities and challenges DevOps team face in adapting and applying application security tools and best practices. It also validates that automation, speed, accuracy, and CI/CD integration—attributes Synopsys has built into its application security solutions—are critical to making DevSecOps successful.”