While speed and agility are a few of the big drivers for service providers and enterprises embracing DevOps, there needs to be tighter integration between the security and DevOps teams, according to a report by HPE.
HPE's "Application Security and DevOps" report, which included both quantitative and qualitative responses from IT operations professionals, security leaders and developers, found that 99% of all respondents agreed that adopting a DevOps culture has the opportunity to improve application security. But just 20% were doing application security testing during development while 17% weren't using any technologies to protect their applications. According to the report, those issues highlight a large disconnect "between the perception and reality of secure DevOps."
"Our research shows that both security leaders and developers believe that the DevOps movement has the potential to significantly improve application security, but organizations are struggling to realize that potential so far," said Jason Schmitt, vice president and general manager of HPE Security Fortify at Hewlett Packard Enterprise , in a prepared statement. "By understanding the current state of DevOps and best practices for integrating security into the development culture, organizations can successfully secure software in this new DevOps world without impeding the speed and agility that it brings."
The report focused on the key barriers and gaps that were preventing organizations from integrating security into DevOps, including a significant lack of cooperation between developers and security teams. According to the report, 90% of the security professionals responded that integrating application security had actually become more difficult after their organizations started employing DevOps.
There was also a marked lack of security awareness and training for developers. Out of more than 100 job postings for software developers at Fortune 1000 companies, none specified security or secure coding experience and knowledge as part of the skill sets required, according to the report.
In order to overcome these obstacles, the report said that the responsibility for security should be shared across entire organizations, and that organizations should integrate security tools more heavily into the development ecosystem.
— Mike Robuck, Editor, Telco Transformation