92 Percent of Enterprises Struggle To Integrate Security Into DevOps

A large majority of organizations are struggling to implement security into their DevOps processes, despite saying they want to do so, according to a new report. From a report: The study commissioned by application security specialist Checkmarx looks at the biggest barriers to securing software today depending on where organizations sit on the DevOps maturity curve. The report finds 96 percent of respondents believe it is 'desirable' or 'highly desirable' for developers to be properly trained on how to produce secure code.

As developers take responsibility for the security of their software, respondents believe it is more important to educate developers and empower them than it is to educate other stakeholders in the organization like ops specialists and security specialists. However, 41 percent agree that defining clear ownership and responsibility in relation to software security remains a big challenge, and just 11 percent say they have adequately addressed the need for developer education. Software security is a boardroom issue according to 57 percent of respondents, it's a matter of business risk.

That means that 8%...

[bobbied]

So if 92% are admitting to having trouble the other 8% are just lying to themselves and others about it.

Security is ALWAYS a struggle and if you are committed to creating secure software and systems you will soon realize that you can never really call the security job done. So, if you are saying you have arrived, your security efforts have been successful, you are either out of business or you are destine to fail in your task because you quit working on it, having arrived.

thats not what devops is for.

[nimbius]

Devops was not designed to bridge the collaboration gap between developer and operations. It was designed to bridge the hiring gap. Fully staffed ops teams are a rarity, as are fully staffed dev teams. If you can make either do both, you can report to your leadership that youre no longer overstaffed, and are surprisingly at or below budget for headcount.

secops are already a thing. The only thing silly-con valley needs to convince the industry now is that some sort of dev/sec/ops monster is not only a real position, but employable at a fraction of the rate of either 3 roles.

Devops wasn't even designed

It's where the webmonkeys go "oh we know! we'll fix the system administration ourselves... with docker!"

I used to be sour at this. I used to do systems and networks administration, mostly free Unices including linux*, some non-free Unices. I also can "code" (C, C++, shell, python, whatever. Not admitting to java nor to php to protect my sanity.) And sure, I know how (some) exploits work, can do assembly and even dabbled with disassembly and binary patching, though it's not really my cup of tea. I shoot trouble, I don't really deliberately go out and make it by picking nits. And for years I tried to sell that combination of skills and usually got zero response. Now it's a thing to combine the first two and call it devops. Turns out that it makes a big old mess of things. Because it's where the webmonkeys, etc. And now they're proposing to add security on top of devops? Nobody could have predicted, etc.

So it doesn't surprise me that this approach doesn't actually work very well. Nor does it surprise me that secops --if it exists-- typically consists of (see above) a bunch of non-coding fully-certified founts of "best practices" documents. Because security is a [X] Due diligence, [X} CYA item.

It's easy to blame HR and hiring practices for this, but really, this is too stupid to be the work of just HR alone.

I'm still somewhat tempted to say "I'd love to help..." but really, I don't any longer. I'm just going to continue sitting on the sidelines. I'll just enjoy the fireworks for once. It's not especially difficult to do better once you see what's really wrong, but "everyone" is too busy to ask, care, or notice. Oh well.

* WIth more and more poetteringesque crap added, usurping the useful Stuff, I count linux less and less as a Unix.