Software company Puppet released their 2019 State of DevOps on Wednesday, revealing significant correlations between sophisticated DevOps teams and thorough security measures.
Puppet’s report said 22% of the firms at the highest level of security integration are also at an advanced stage of DevOps evolution.
“The more security is integrated into the software delivery lifecycle, the more delivery teams see security as a shared responsibility. And as integration increases, so does the perception that audits minimize risk to the business. In organizations with a high level of security integration, identified security issues are prioritized by the business,” according to the report.
Teams farther along in the DevOps process are increasingly automating many of their security features because they involved experts from the very beginning.
“The DevOps principles that drive positive outcomes for software development — culture, automation, measurement and sharing — are the same principles that drive positive security outcomes,” said Alanna Brown, senior director of community and developer relations at Puppet and author of the State of DevOps report.
“Reliability, predictability, measurability and observability in your deployments create not just intrinsically more secure environments, but also, when combined with a strong automation practice, enable speed of response to security issues as they arise. Organizations that are serious about improving their security practices and posture should start by adopting DevOps practices,” Brown said.
SEE: Special report: Riding the DevOps revolution (free PDF) (TechRepublic Premium)
The study acknowledged how difficult security integration can be, especially as enterprises move through the middle part of their DevOps evolution. Nearly 80% of companies surveyed said they were in this phase and were dealing with higher friction between security and delivery teams while collaborating, software delivery slow downs and audit issues.
But the benefits were significant, especially for those who made it through the rough parts of the process. Puppet’s study showed that 61% of companies at the highest level of security integration are able to deploy to production on demand at a significantly higher rate than firms at all other levels of integration.
For companies that had not integrated security at all, less than half were able to deploy on demand.
“While the report outlines many problems, it also highlights the gains that arise when DevOps and security are fully integrated,” said Andrew Plato, CEO of cybersecurity firm Anitian.
“These benefits include increased security effectiveness, more robust risk management, and tighter alignment of business and security goals.
Puppet’s report showed that integrating security deeply into the software delivery lifecycle made teams more than twice as confident of their security posture.
What made security integration difficult was the need for collaboration between teams, which is often times difficult to organize and time consuming. Cross-team collaboration was key to empowering teams to address a litany of security issues. The survey found teams were increasingly siloed, leaving security protection in the hands of a few people instead of the entire company.
Security teams and development teams have to work together to create threat models, integrate proven security tools into the development pipeline and prioritize functional security requirements, according to Puppet. Organizations also had to have security experts checking automated tests and reviewing high-risk areas of code that may be vulnerable as well as infrastructure-related security policies.
“It shouldn’t be a surprise to anyone that integrating security into the software delivery lifecycle requires intentional effort and deep collaboration across teams,” said Michael Stahnke, vice president of platform engineering at CircleCI, which contributed to the report.
“What did surprise me, however, was that the practices that promote cross-team collaboration had the biggest impact on the teams’ confidence in the organization’s security posture. Turns out, empathy and trust aren’t automatable,” he said.