DevOps teams are struggling to incorporate application security into their workflow. That’s according to Synopsys, which just released a report detailing the lack of application security testing in over 50% of Continuous Integration/Continuous Delivery (CI/CD) workflows, following a survey of 350 IT decision makers across a range of industries.
The state of DevOps security
DevOps (Development Operations) has seen immense growth within the past few years due to its practicality for businesses, who can now streamline their Software Development Life Cycle and in some cases reduce their overheads. (DevOps is essentially bringing together operations and development engineers on a service lifecycle, from design through development, to production support).
The significant size of infrastructure involved in enterprise CI/ CD workflows, makes the scaling of DevSecOps (which bakes security into DevOps) even more complex and difficult, the authors highlighted, saying: “We found across industries only about half of CI/CD workflow implementations include any application security testing elements”.
Why are DevOps teams struggling?
There are a variety of reasons that DevOps teams are struggling, however the report highlights the top three causes as:
* Lack of automated, integrated security testing tools
* An inconsistent approach
* Security testing slowing things down
Speed seems to be a particular issues: the survey points to the increasing speed of enterprise software releases. Nearly half of respondents (49 percent) indicated code changes or releases were deployed in a matter of days; 22 percent said hours.
Synopsys said: “Even though the popular view is that security slows down software releases, we believe organizations can save themselves rework headaches and time by considering and injecting security early in the process and choosing security tools and elements that can be integrated and automated.”
What Kind of Security Testing?
Some 61% percent of respondents identified software composition analysis (SCA) and CVE scanning as the most critical elements of application security testing.
Synopsys said in the report: “We’re not surprised to see this pointed out as most critical given recent security incidents – including Heartbleed and the Apache Struts vulnerability that caused the Equifax breach – have highlighted potential risks, particularly in open source software. Nevertheless, with cloud computing, containers, microservices and other leading-edge technology, open source software is typically a significant and meaningful part of CI/CD pipelines and workflows.”
The reports authors added: “We would also highlight that even though composition analysis was perceived as the most critical element of DevSecOps, nearly 40% of our survey respondents reported use of no tool to find vulnerabilities in open source software in use, or that they didn’t use open source at all; a somewhat dubious claim given the prevalence of open source in today’s enterprise software releases.”
The General Consensus
DevOps does not appear to be slowing down, and firms will only continue to adopt this approach into their operations. Enterprises would benefit, Synopsys emphasises, from injecting security elements earlier in the software development lifecycle; most effectively at code commit. By supporting integration and collaboration that includes security elements and personnel, businesses could maintain the speed and scale of CI/CD releases, but do so in a secure manner that reduces risk and rework.
See also: Synopsys puts Black Duck on its bill in $565m acquisition