For software development teams, security practices can seem like a bottleneck to deployment -- often slow, manual steps that are taken simply to avert blame. This year's State of DevOps report, written by Puppet, CircleCI and Splunk, shows that this sentiment is misguided. In fact, the report found, strong security and strong DevOps practices are complementary.
"This year's findings are clear: Good security practices and better security outcomes are enabled by DevOps practices," the report says.
According to the report, firms which do the best at integrating security into their software development practices are, in fact, able to deploy to production on demand at a significantly higher rate than other firms. As many as 61 percent are able to do so, compared with 49 percent of firms with lower levels of security integration.
- DevOps: A cheat sheet
- Implementing DevOps: A guide for IT pros (free PDF)
- How to become a DevOps engineer: A cheat sheet
The report also found that the time to remediate vulnerabilities does not dramatically decrease at higher levels of security integration. Meanwhile, firms with stronger security integration do a better job at prioritizing security improvements over feature delivery -- in other words, integrating security into the development process actually does make you more secure.
"The biggest takeaway is that improving your security posture isn't just about moving some
security practices to an earlier phase of the software lifecycle," the report says. "It's about adopting a different way of working, one that emphasizes cross-team collaboration and shared empathy. DevOps, in fact."
The 2019 report surveyed 3,000 technology professionals from around the world. Over the past eight years, Puppet has surveyed more than 33,000 tech professionals to assess the state of devOps.
This year's report focused on integrating security into devOps. It found that six in 10 firms include security in only two or fewer phases of their software delivery cycle. Typically, firms begin by integrating security into the testing phase, followed by testing and deployment.
The report defines five levels of security integration. Sixteen percent of the firms where survey respondents work were at Level 1, or no integration. The majority of firms at Level 1 involve security in the software delivery lifecycle on an ad-hoc basis — when issues are reported in production or an audit is scheduled.
The report found that 22 percent of firms at the highest level of security integration have reached an advanced stage of DevOps evolution. The most advanced stages of DevOps include automation and providing self-service capabilities.
"The DevOps principles that drive good outcomes for software development — culture, automation, measurement and sharing — are the same principles that drive good security outcomes," the report says. "Reliability, predictability, measurability and observability in your deployments create not just intrinsically more secure environments, but also, when combined with a strong automation practice, enable speed of response to security issues as they arise."
The report posits that most companies fail to make it to full security integration in part because "good security practices don't pay the bills."
Additionally, the report finds that security integration in the middle stages of evolution are particularly challenging. "In these slog-through-it middle stages, security and delivery teams experience higher friction while collaborating, software delivery slows down, and audit issues both increase and require immediate attention," the report says.
To progress out of the middle stages, the report recommends measuring both business outcomes and metrics that show how day-to-day challenges are being alleviated -- challenges such as unplanned work, deployment pain or Severity 1 incidents.
Critically, teams that have integrated security at all stages of delivery collaborate early, often deeply.
The report lays out the top five practices for improving your security posture:
- Security and development teams collaborate on threat models.
- Security tools are integrated in the development integration pipeline so engineers can be confident they're not inadvertently introducing known security problems into their codebases.
- Security requirements — both functional and non-functional — are prioritized as part of the product backlog.
- Infrastructure-related security policies are reviewed before deployment.
- Security experts evaluate automated tests, and are called upon to review changes in high-risk areas of the code (such as authentication systems, cryptography, etc.).