Devops isn’t simply transforming how developers and operations work together to deliver better software faster, it is also changing how developers view application security. A recent survey from software automation and security company Sonatype found that devops teams are increasingly adopting security automation to create better and safer software.
It’s no secret that traditional development and operations teams view security controls as slow and cumbersome, and often look for ways to bypass the requirements in their rush to get software out the door. However, only 28 percent of respondents from organizations with mature devops practices felt that security requirements slowed down software development, Sonatype found in its 2017 DevSecOps Community Survey. In fact, 84 percent of respondents from mature devops organizations viewed application security as a safety measure, not an inhibitor to innovation.
“Devops is not an excuse to do application security poorly; it is an opportunity to do application security better than ever,” said Wayne Jackson, CEO of Sonatype.
While about a quarter of the respondents to the online survey—which include developers, devops teams, IT managers, team leads, architects, and build and operations engineers—considered security as a top development concern, that figure jumped to 38 percent among respondents who worked at organizations with a mature devops culture. Those respondents said their developers spend a lot of time on security.
The stark difference in the importance developers place on application security seems to depend on the how far along the organization is on its devops journey. Just as security tends to play a more visible role in organizations with mature IT operations, the same pattern is playing out with devops. As developers and operations get more comfortable working together to release better software faster, they are looking for other areas to improve. Developing safer software is the logical next step.
It’s a self-fulfilling prophecy. As teams automate security tasks and find vulnerabilities earlier in the development lifecycle, the cost of releasing secure software goes down. As software security becomes less of an inhibitor, they are more likely to view application security positively and be willing to automate security in even more areas.
“Successful application security has been defined as increased automation that doesn’t slow down the development and operations process,” said Tyler Shields, vice president of Signal Sciences. “Imagine a scenario where developers embrace security rather than find ways to work around it.”
Among respondents, 58 percent from mature devops organizations said they have automated security as part of their continuous integration (CI) practices, but CI isn’t the only part of the SDLC benefiting from automation. In the survey, 42 percent of respondents from mature devops organizations claimed to perform application security analysis at every stage of the SDLC—starting from design and architecture, all the way to production.
Automation includes adding security testing techniques such as fuzz testing and software penetration testing during development and testing, as well as security analysis within CI platforms to detect when vulnerable code is introduced. Some organizations have automated the evaluation of open source and third-party components against a defined governance policy to prevent vulnerable libraries from being included in code.
Contrast that to the overall response pool, where only 27 percent said they performed application security analysis at every stage. Forty nine percent of respondents said they performed application security analysis during QA/testing, and 45 percent said prior to releasing into production.
Part of the increase in application security comes from the increased focus on training. The survey found that 85 percent of respondents from mature devops organizations received some form of application security training to ensure awareness of secure coding practices.
But secure development within devops is less about blindly following required security practices and controls and more to do with thinking about making applications secure as part of daily practice, said Hasan Yasar, technical manager and adjunct faculty at Carnegie Mellon University. Developers are encouraged to adopt an attacker mindset to look for vulnerabilities in their own code and to build software with a reduced attack surface. If the application is quick to deploy and restore, then developers can worry less about being hacked and more about preventing predictable attacks and quickly recovering from an incident.
“Software should bend but not break,” Yasar said. “This shift in thinking from a prevent to a bend-don’t-break mindset allows for a lot more flexibility when it comes to dealing with attacks.”
Another area where security can work with devops is in the use of runtime application self-protection (RASP) and next-generation web application firewall (NGWAF) technologies. RASP and NGWAF give security, operations, and development teams visibility into attacks and data at runtime.
“Automation of application security will democratize security data, breaking down silos between groups while helping the entire organization operate more efficiently,” said Shields.
While the survey paints a rosy picture—especially since devops still isn’t as firmly entrenched in software development as its advocates would like to believe—it still makes a compelling argument that automation makes it possible to integrate application security tools early into the development life cycle. Thanks to automation, vulnerabilities are found faster and fixed earlier, which is less costly than finding them in production or during penetration testing. When the tests become part of the CI/CD pipeline, code quality is higher, developers are happier about what they are producing, and security teams are satisfied because security policies are being followed.
“Building the right AppSec tools seamlessly into the devops loop—your continuous release cycle—means your IT delivery value stream operates faster, cheaper, and at high quality,” said Helen Beal, a “devopsologist” at Ranger4, a devops consultancy.
Security experts have long advocated including security earlier in the lifecycle, and the survey findings show that this is already happening in some organizations. The survey shows that the rapid pace of development and deployment in devops isn’t somehow contrary to security, and that organizations have successfully managed to combine the two.