DCL Connecting talent
  • Virgin
  • SingTel
  • Tata
  • Nebulas
  • CNS
  • Secure Data
  • Telstra Global
  • Telecity
  • KCOM
Comments Off on DevOps Security Remains an Afterthought

DevOps Security Remains an Afterthought

Posted by Admin | February 13, 2017 | IT Security

The promise of DevOps breaking down organisational silos has not yet materialised for security

While enterprises are adopting DevOps to speed up software development and improve application security, barriers between development and security teams still exist, a study by HPE has found.


The chasm is so deep that in some cases, developers do not know their security teams. In fact, some 90% of security professionals claim that ensuring application security has become more difficult since their organisations deployed DevOps.

The HPE study is based on analysis from security teams, industry leaders, enterprises and developers to deliver key insights on the gaps and barriers between the promise and reality of secure DevOps.

Much of the disconnect may be attributed to the lack of security awareness, emphasis and training for developers. Out of more than 100 job postings for software developers at Fortune 1000 companies, none specified security or secure coding experience and knowledge as part of the skills required, according to the HPE study.

The lack of application security talent is another contributing factor. For every 80 developers in the organisations surveyed, there is only one application security professional. The lack of security personnel, along with the increasingly rapid development cycle make secure development extremely difficult, the report noted.

APAC enterprises reactive to DevOps security

Sherrel Roche, senior market analyst for services research at IDC Asia/Pacific, noted that while enterprises are aware that they are prone to data breaches and online attacks, security is still not an integral part of DevOps.


Indeed, going by a June 2016 IDC global DevOps study, only 40% of the organisations said security was part of their DevOps practice or project planning cycle. Additionally, 41% said they worked with the security team only on ad hoc basis.

According to Roche, organisations in the Asia Pacific region continue to be reactive to DevOps security, and will work with security teams only during audit requests or when a security breach occurs. This poses challenges for security teams whose mandate is to release and maintain secure applications.

“DevOps teams need to partner with security teams to assess and release software thoroughly at a continuous and rapid pace. It is crucial that executives encourage DevOps teams to work with security, audit and compliance teams to ensure DevOps practices deliver value and reliability,” Roche said.

“Security needs to be integrated into the application development process from the beginning, making it a fundamental part of the DevOps process,” she added.

Pushkaraksh Shanbha, senior research manager at IDC’s Asia/Pacific’s services and cloud research group, concurred with HPE’s findings.

He said very few enterprises have integrated security into their DevOps practices because of legacy software development processes, and a view of security that has not evolved from an over-emphasis on perimeter security to application and data-centric security.

Richard Gerdis, vice-president of DevOps, Asia-Pacific and Japan, CA Technologies, noted that security is likely to continue being an important trend in DevOps this year, given the growing intensity and sophistication of cyber threats.

“In addition to speed and quality, good code also needs to protect users against cyber malice, and organisations from negative publicity and reputational damage,” he added.

Source: computerweekly

112 total views, 1 today