Make no mistake, DevOps trends are catching fire in the enterprise these days and for good reason. A new report out by DevOps Research & Assessment (DORA) shows that the highest performing DevOps organizations are crushing their software delivery metrics.
Here are few of the juicy stats about that elite group of DevOps performers from the DORA study. Relative to non-DevOps adherents or low-maturity DevOps orgs, they're:
- deploying code 46x more frequently;
- recovering from incidents 2,604x faster; and
- posting 7x lower change failure rates.
All of those are crucial metrics for the business because so much of business performance today is directly tied to software delivery and operational performance. Forward-thinking CEOs and boards recognize this link and are placing big bets on DevOps investments.
The DORA study backs up their odds with one additional important measurement. Those elite performers are meeting business goals like profitability, productivity and market share more than 1.5x more effectively than lower performing peers.
That's great, but what's in it for the CISO?
Well, the study is showing that while low performers can take weeks to conduct security reviews and complete identified flaw fixes during their SDLC, the best performing DevOps teams build security directly into their pipelines; they are capable of conducting security reviews and completing changes in a matter of days.
The scenario above is the brass ring that many organizations are striving for with DevSecOps, which is bringing security together with the automation and collaboration inherent in DevOps practices. However, transitioning to DevOps is hard enough, let alone doing it right by baking security into the mix as well.
A different survey released recently by FreeForm Dynamics reported that about 92% of organizations struggle to implement security into their entire DevOps process.
“Increased software complexity and the need to move at the speed of DevOps is creating a new type of risk," explains Maty Siman, CTO of Checkmarx, which sponsored that study. "Software security also needs to change.”
And in order for that to happen, CISOs need to step up and find ways to embed their team and their thinking into the continuous delivery process. That's only going to happen if security executives truly invest themselves in keeping up with the latest DevOps trends and come up with ways to enable DevOps while still keeping the lid on risk. The following are five such hot-button issues that CISOs need to start thinking about in order to get their organizations to the elite level of DevSecOps practices.
It's pretty much a given that for DevSecOps to work, IT is going to need to get developers, testers, operations staff and security gurus to not just tolerate one another, but really interact as a high-functioning, collaborative team. The only problem? Most of the people in those different IT 'tribes' give outsiders the side-eye.
The study from FreeForm showed that a whopping 72% of respondents agreed that the different teams and disciplines within IT are reluctant to trust one another. Obviously, CISOs can't solve the entire organization's culture problems. But they can start thinking critically about how the security team can build bridges between itself and other groups within IT and the business at large.
Dev Training in Security Needed
A big part of the effectiveness of DevSecOps is that it empowers IT team members outside of security to implement security checks and controls on a day-to-day basis. According to the 2018 DevOps Pulse study, about 54% of organizations today use DevOps personnel to handle security incidents.
The sticking point here is that DevOps team members need to actually know enough about security to carry out this daily work, but around 45% of organizations are having a hard time getting senior management to approve funding for necessary security training, according to FreeForm.
At the end of the day CISOs are going to need to go to bat for skilling up DevOps teams in security fundamentals.
Security Automation: Still A Ways to Go
Automation plays such a huge role in DevOps organizations, which use automated processes to speed up the mundane, reduce human errors from manual activities and reduce operational bottlenecks. The trouble is that many security checks and controls today still depend upon manual efforts—essentially making it such that security is a huge roadblock to making headway on DevOps initiatives.
According to the DevOps Pulse study, only about one in three DevOps organizations today utilize automated security testing. That's got to change to reach peak DevSecOps efficiency.
Open Source-First Mentality
Most DevOps teams today depend heavily upon open source software to get their work done. According to the DORA report, 58% of those surveyed said their teams heavily depend upon open source components, libraries and platforms. Some organizations like Capital One are even going so far as calling their approach an Open Source-First philosophy.
Unfortunately, much of that use is not being monitored or controlled for risk. One study released earlier this year showed that 62% of organizations today still do not have meaningful controls over what components are in their applications. This means organizations don't know when controls need to be updated for security and where vulnerable components exist within their security architectures.
The Bleeding Edge: Serverless Security
Many security professionals are hardly keeping apace with the growing move toward containerization in DevOps organization, let alone even more bleeding edge trends like serverless technology. But some pundits believe that many high-performing DevOps teams are leap frogging over containerization and moving directly to serverless. About 42% of this year's DevOps Pulse survey say they're using serverless tech, which is a jump of 12 percentage points since last year.
Unfortunately, serverless use is taking a similar path of so many other bleeding edge technologies in IT. In many instances, teams are not building security controls into their serverless deployments. In the State of Serverless Security report out earlier this summer, about a third of companies say they're not employing any application security best practices in developing their serverless code. This is a growing trend that needs to stay on CISO radar.