2018 State of DevOps: Great for Security

The annual State of DevOps report is out for 2018 and the study offered up some very strong proof points for the tight relationship between mature DevOps practices and improved security operations.

Spearheaded by Puppet Labs and Splunk, this influential analysis by DevOps Research & Assessment (DORA) is the most often cited compilation of statistics about  DevOps performance in the real world. And it has been for the past seven years running—all told, the body of work represents surveys of more than 30,000 technical professionals.

This report focused primarily on quantifying the stages of evolution in the DevOps journey, establishing metrics around which practices are most likely to be seen in early, middle and late stage DevOps adopters.

"This year, our data has showed us that while there are many individual paths through a DevOps transformation, there are ways to achieve and scale success faster," the report authors wrote.

For example, teams tend to start with DevOps where the "pain is most acute and visible," typically around practices closes to production. And as teams begin to scale up isolated DevOps processes, the data shows that cross-team sharing is one of the big factors in making that possible.

As teams get into the highest evolution stages of the DevOps journeys, certain tendencies crop up time and again. For example, highly evolved organizations are 24x more likely to make monitoring and alerting configurable by teams, 23x more likely to reuse deployment patterns, and 27x more likely to use configuration management tools.

That last statistic points to one of the key themes present throughout the report, namely that security design and automated configuration is an integral part of achieving the highest levels of the DevOps progression.

Automating Security Policy Configuration

"Automating security policy configurations is mission-critical to reaching the highest levels of DevOps evolution," the report explained.

According to the study, the most evolved DevOps organizations are 24 times more likely to always automate security policy configurations than the least evolved organizations. This is because as enterprises move forward in their DevOps journey they increasingly wrap up security policy and execution directly into the overall operations umbrella, rather than kicking the can down the road until audit time.

"There’s an evolutionary cycle for automating security policy, and it often starts with a single team member automating some policy by writing a scanner for the policy," the report explains.

From there the team might write a script, and then they might generate a report on that script. At that point, policy automation starts to get blended into configuration management systems, so that security policy is handled by a global system that ensures that security policies are consistently enforced—and so that any team member can update or improve enforcement of policy through the codebase.

Shifting Left on Security Design

Moving beyond automated security policy enforcement, at the highest level of evolution security enforcement isn't just automated, it's folded directly into the design of every application.

"Security considerations are shifting from being primarily operational concerns in production to being incorporated in application design and build," the report explains, stating that this is the anti-pattern to the traditional method of building software where different teams focus on different parts of the build cycle—with security usually coming in at the very last with changes that can sometimes be sweeping and expensive to fix.

Just as the first stages of DevOps evolution has development and operations teams blurring their functional boundaries to improve collaboration at the earliest points in application design, the most highly evolved organizations do the same with security. This isn't often done at the outset of the DevOps journey because that divide between developers and operations is usually the most visible pain point teams seek to address.

"It makes sense that getting security teams involved happens later in the DevOps evolution, after more acute problems have been addressed," the report explains.

Staying Clear-Eyed About DevOps and Security Evolution

Interestingly, the C-suite may have a rosier view of progress along that evolutionary scale than the people executing on DevOps strategies. For example, around 64% of the C-suite believes they involve their security team in technology design and deployment, while just 39 percent of team members at ground level would say the same. Clearly, there's need of a level-set to remain clear-eyed about progress and put in the investment necessary to not only getting better at DevOps but also folding security into the framework.