When asked how their organization was protecting applications, an overwhelming majority of respondents cited implementation of security practices or downstream secure software development life cycle (SDLC) processes. However, when queried further, only 20 per cent admitted they conducted SDLC testing throughout the app development process. Most organizations relied on techniques such as pre-production penetration testing and network security. Furthermore, 17 per cent stated they do not use any technologies to protect their applications.
These were some of the alarming findings found in the Application Security and DevOps Report 2016, released recently by Hewlett Packard Enterprise (HPE). The study used data and analysis from HPE Security teams, industry leaders, large companies, and developers. The study also used one-on-one interview and email questionnaires.
The document can prove very useful to business and IT leaders because it provides key insights on the multiple gaps and barriers between aspired DevOps security and the real security situation.
“Our research shows that both security leaders and developers believe that the DevOps movement has the potential to significantly improve application security, but organizations are struggling to realize that potential so far,” said Jason Schmitt, vice president and general manager, HPE Security Fortify, Hewlett-Packard Enterprise.
He said that by understanding the current state of DevOps and best practices for integrating security into the development culture, organizations can better secure software development “without impeding the speed and agility that it brings.”
The bottom line is organizations can save a lot of time and money if teams are able to identify and correct vulnerabilities more frequently and earlier in the application lifecycle.
Barriers to security
The study found that organizational barriers were the key elements hindering security adoption in DevOps.
“While one of the main promises of DevOps is the collaboration between development, operations, and quality assurance (QA), security teams are often nowhere to be found in the DevOps conversation or team,” the report said. “Overall, developers and IT Ops care about security but feel it is already under control or that it’s someone else’s issue (such as security, InfoSec, and compliance departments).”
In some cases, respondents admitted to not even knowing their security teams. Reporting lines within organizations do not help break down organizational silos and most development, operations, and security groups have completely separate reporting structures.
The report also pointed to a lack of awareness regarding the importance of secure coding practices within development organizations:
1. Security is not part of computer science programs according to a 2016 CloudPassage report—out of the top 10 U.S. Bachelor’s Computer Science programs, none require a security class to graduate.
2. Secure coding practices are not part of job requirements—in looking at more than 100 job postings for software developers at Fortune 1000 companies, none specified security, secure coding experience, or knowledge as part of skills required.
3. For every 80 developers in the organizations surveyed, there is only one application security professional.1 The lack of security personnel, along with the increasingly rapid development cycle make secure development extremely difficult.
Time to market pressure
Developers are under immense pressure to get features out to market as fast as possible
“…Customer expectations in competitive markets rise in response to attractive alternatives. Organizations in these markets are scrambling to keep pace. Seventy-three per cent of IT decision-makers surveyed said that business leaders demand more frequent delivery,” according to a 2015 Forrester study.
This business requirement is forcing development to prioritize features, functionality, and performance and eliminate anything that is considered too slow down the development process.
The speed of deployment is increasing. Forrester reports that they are seeing organizations go from four application releases per year in 2010 to a whopping 120 releases per year by 2020.
Based on HPE Security Fortify research, key drivers for more frequent delivery include:
• Mobile applications
• Web- or cloud-based application usage
• Market needs from customers
• Competition (e.g. if insurance companies do not deliver simpler ways for their customers to get quotes, view rates, pay bills, etc., online insurance companies will take their business.)
“Our data shows that most DevOps organizations are at least on monthly release cycles now,” HPE said.
IT operations organization
IT Ops groups more often value and focus on security since they are organizationally closer to security or more often share part of the responsibility.
However, given the significant overreliance on perimeter-based security, IT Ops focus on protecting the infrastructure instead of the application, the report said.
“In the eyes of most IT Ops application security is mostly thought of as manual penetration testing and a responsibility of the security team,” the report said. “They have little understanding of the role that security should play in development.”
Security organizations can’t keep up
The report flags an increasing lack of application security talent and lack of integration of security requirements and practices into the development process. Security leaders are not developers.
“In our findings, only 15 per cent of chief security officers (CISOs) have a background in development. This can lead to a misunderstanding of challenges faced by development teams.” The report said. “Lack of application security talent for organizations that have put a focus on the secure SDLC, there is a significant shortage of application security talent.”
For instance, there was an average of 900 developers in the organizations surveyed, in comparison to the average of 11 application security professionals in those organizations.
“This ratio, in combination with the increasing velocity of development, is leaving application security professionals unable to keep up,” the report said.
The report outlined several ways to better secure application development:
• Security should be a shared responsibility across the organization to eliminate barriers. Security must be embedded throughout every stage of the development process, with executive support and metrics to hold teams accountable for secure development.
• Bridge awareness, emphasis, and training gaps by making it seamless and more intuitive for developers to practice secure development. Organizations should integrate security tools into the development ecosystem to allow developers to find and fix vulnerabilities in real-time as they write code. This makes it easy and efficient to develop securely and educates the developer on secure coding in the process.
• Leverage automation and analytics as application security force multipliers. Organizations should leverage enterprise-grade application security automation with analytics built in to automate the application security testing audit process and allow their application security professionals to focus only on the highest priority risks. This reduces the number of security issues that require manual review, saving both time and resources, while lowering overall risk exposure.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…