New research commissioned by technology services provider, Claranet, has found that 88% of UK businesses have adopted a DevOps approach but only 19% are confident in their ability to introduce DevSecOps (integration of security into their DevOps practices).
This underlines the risks that businesses are creating for themselves – especially given how DevOps tends to outpace traditional security controls – and the work that needs to be done within IT departments to embed and automate security best practices into the entire DevOps lifecycle.
The research, conducted by market research firm Vanson Bourne, included 300 respondents from businesses in both the UK and USA.
It found that 47% of UK organisations have adopted a DevOps approach, with an additional 41% planning to make this a reality in the next couple of years, indicating that DevOps is becoming a de facto way of working for many IT departments.
However, when considered alongside the fact that a fifth of organisations doubt their capability to deliver DevSecOps, it becomes clear that there is a significant disconnect between DevOps capabilities and DevSecOps readiness.
This lack of full emphasis on security as part of the DevOps process could lead to data security issues further down the line.
Sumit Siddarth, director at Claranet Group company, NotSoSecure, said: “Embracing DevOps is clearly at the forefront of the minds of the majority of IT leaders across the UK, which provides some cause for encouragement.
“But the overall lack of integration of security best practices into this process shows that, for many businesses, security is still being considered as something that is administered separately to the development lifecycle, rather than incorporated into it from end to end.
“Given the frequent development cycles that are an inherent characteristic of DevOps, seeing security as a separate entity can slow processes down and reduce efficiency, which either compromises the agility which is so central to any DevOps philosophy, or leads to windows where vulnerabilities can be released and won’t be spotted until the next security testing cycle.”
Siddarth added: “While the benefits of DevSecOps are clear, actually making it a reality is a complex process that can’t be completed overnight. Working out how to implement and automate application security – such as continuous monitoring and static analysis – within existing CI/CD pipelines takes time and effort, so it’s important that organisations receive in-depth guidance in how to make this happen.
“Furthermore, newer approaches to security testing, such as continuous security testing, need to be used to ensure any testing approach is keeping up with the rate of change DevOps approaches allow for.”