DevSecOps isn’t yet as widely known or practiced as DevOps, but that could be changing.
2018 has been a wake-up call for enterprises that haven’t deeply integrated security practices throughout their IT organizations. In just a few short months, news has broken about major attacks and/or breaches at Sears and Delta Air, oil and gas pipelines, Panera Bread, Saks Fifth Avenue and Lord & Taylor, European financial institutions, MyFitnessPal, at least 1,000 Magento-based ecommerce sites, Orbitz, FedEx, Boeing, the city of Baltimore, and the city of Atlanta.
Because the methods of attack used in these incidents are very diverse, it’s unlikely that any single security measure could solve the problem on its own.
However, DevSecOps, which encourages greater collaboration among security professionals, developers, and IT operations staff, can do a lot to help organizations prevent, defend against, and mitigate attacks. This approach promotes the idea that security is everyone’s job, and it pushes security professionals to become more proactive and iterate more quickly.
Recent surveys and reports include at least five hints that organizations and IT professionals are beginning to understand the need for DevSecOps and the potential benefits it offers.
Being aware of a problem is always a necessary precursor to solving it, and Veracode’s DevSecOps Global Skills survey showed that DevOps professionals are very cognizant of their skills deficits. Among the DevOps professionals who had earned bachelor’s or master’s degrees, about 70% said their security education was inadequate for their current positions. Perhaps even more astonishingly, three out of four said they weren’t required to take a single IT security class to obtain their diplomas.
The same survey asked which types of DevOps job candidates are the toughest to find and hire. The number one vote-getter, selected by 40% of respondents, was “all-purpose DevOps gurus with sufficient knowledge about security testing.” Clearly, organizations are looking for DevSecOps professionals—but they aren’t always finding them.
When it comes to placing the blame for the lack of security knowledge, security staff at DevOps firms place at least part of the blame on management. The vast majority (85%) said their companies don’t spend enough money to train developers about application security issues.
A separate report, the Sonatype DevSecOps Community Survey, found a big difference between highly mature DevOps organizations and others who are still embracing the approach. In the highly mature organizations, all but 15% made application security training available to employees. It seems that these leading organizations have found a secret weapon in the fight against cyber attackers that most firms—even among those that are embracing DevOps—have not.
The Veracode survey also asked DevOps professionals what would be the most effective way to gain the new skills they are lacking. Among those surveyed, 37% said they believed the most effective way to boost their DevSecOps skills would be to attend classroom or e-learning training programs. Organizations that want to take that advice should check out DevOps Institute’s DevSecOps Engineering (DSOE)℠ certification. It’s a great way to give security professionals “security as code” skills that help them better protect their organizations and embrace DevOps culture.
Cynthia Harvey is a freelance writer and editor based in the Detroit area. She has been covering the technology industry for more than fifteen years.