In a DevOps environment, software and feature delivery happen in real time. Security, while critical to your company, cannot become a bottleneck. InfoSec and DevOps leadership are searching for the best ways to bridge the gap between their two organizations in order to better secure the application stack during development, deployment, and production operations. The merging of InfoSec with DevOps, or DevSecOps—with a particular emphasis on DevOps security automation—has gained momentum in response to the need for rigorous security that moves at the speed of cloud delivery.
The DevSecOps Adoption & Processes infographic highlights key findings from the Cybersecurity Insiders 2020 AWS Cloud Security Report that pertain to DevOps. In this post, we’ll cover the current state of DevSecOps adoption, common security challenges faced by DevOps organizations, and strategies for improving security with DevOps security automation. You can find more information in our two related posts:
- AWS Cloud Security Report 2020 for Management: Managing the Rapid Shift to Cloud
- AWS Security Best Practices: AWS Cloud Security Report 2020 for InfoSec
The Current State of DevSecOps Adoption
Though DevSecOps adoption is gaining traction, only 21% of organizations have a comprehensive DevSecOps program in place, and 43% of organizations have only achieved implementation in part of their organizations. These figures suggest a massive opportunity for growth and positive change. As more organizations move toward a DevOps culture and processes, those that do not work closely with InfoSec put their security posture at risk as development cycles accelerate and production environments grow in both size and complexity.
The Points in the Pipeline Where DevOps and InfoSec Meet
DevOps teams have adopted security checks as part of the development and deployment pipeline in an effort to catch issues before they get to production. However, with the focus on application delivery speed, security checks that are not driven by automation become a bottleneck.
Only about half of the survey respondents indicated that security is engaged at critical points throughout their CI/CD pipeline, including system testing and production (58%), feature development and unit testing (51%), and staging (42%). Without DevOps security automation built into these critical intersection points, teams relying on manual processes can inadvertently introduce significant security blind spots.
DevOps Security Automation Accelerates Remediation
The frequency of managing remediations and the methods used are significant benefits of DevOps security automation, and the report indicates that many companies still have opportunities for growth in these areas.
Many organizations still rely on a combination of cumbersome weekly (27%), monthly (37%), and even quarterly (25%) security vulnerability assessment cadences. Typically, these security reports contain a laundry list of potential vulnerabilities that must be addressed by development teams.
Additionally, 43% of organizations rely on ad-hoc tickets, emails, meetings, or instant messages. These heavy reports and side-tracking requests—and the expectations that come with them—do not fit into the rapid-release, regimented DevOps world and can cause friction between DevOps and InfoSec.
Fortunately, DevOps tools are primed for security automation, which can put vulnerability information, remediation suggestions, and security tasks in front of developers through the systems they’re already using for development task management. With some up-front automation work, tools like Jira and ServiceNow can accelerate the visibility of security concerns and can insert remediation strategies and tasks into the natural flow of DevOps development.
Who is Responsible for Security?
The automated CI/CD pipeline for rapid code delivery opens up new opportunities for building security directly into the DevOps process. By “shifting left,” or integrating security testing throughout the CI/CD pipeline, you get a faster, more secure deployment pipeline that reduces friction points between DevOps and InfoSec that could stall deployments. This integrated approach to security implementation also fits with the DevOps culture by giving members of DevOps and InfoSec shared goals for secure code delivery, which helps shape security responsibility throughout the organization.
While only 21% of organizations have a comprehensive DevSecOps strategy in place, our survey indicates that security is now a jointly fulfilled responsibility between DevOps and InfoSec. More than half of companies indicate that they still have a strong, central IT operations team responsible for security changes. However, InfoSec engineering teams and DevOps engineers also take on implementation tasks. When it comes to who is responsible for changes, there’s more than one valid team structure. The one that’s right for your organization is one where your DevSecOps team members’ roles and security ownerships are clearly defined.
Drivers for DevOps Security Automation
With an automated cloud security platform like CloudPassage Halo, teams practicing a DevSecOps methodology can work together to improve security across any cloud while achieving faster time to deployment and lowering costs. Halo accelerates security automation with bi-directional REST APIs for integration with your CI/CD toolkit, automated remediation reporting, and compliance and vulnerability management across your cloud workloads and IaaS, PaaS, container, virtual, and bare-metal environments. Halo reduces, or even eliminates, the bottleneck between InfoSec and DevOps, and can result in significant cost savings due to faster, more secure deployments.
Download the DevSecOps Adoption & Processes Infographic
You can download the complete survey findings and our DevSecOps infographic below. And be sure to subscribe to the CloudPassage blog so you don’t miss our upcoming blog series.