Slashdot Mirror
92 Percent of Enterprises Struggle To Integrate Security Into DevOps (betanews.com)
A large majority of organizations are struggling to implement security into their DevOps processes, despite saying they want to do so, according to a new report. From a report: The study commissioned by application security specialist Checkmarx looks at the biggest barriers to securing software today depending on where organizations sit on the DevOps maturity curve. The report finds 96 percent of respondents believe it is 'desirable' or 'highly desirable' for developers to be properly trained on how to produce secure code.
As developers take responsibility for the security of their software, respondents believe it is more important to educate developers and empower them than it is to educate other stakeholders in the organization like ops specialists and security specialists. However, 41 percent agree that defining clear ownership and responsibility in relation to software security remains a big challenge, and just 11 percent say they have adequately addressed the need for developer education. Software security is a boardroom issue according to 57 percent of respondents, it's a matter of business risk.
As developers take responsibility for the security of their software, respondents believe it is more important to educate developers and empower them than it is to educate other stakeholders in the organization like ops specialists and security specialists. However, 41 percent agree that defining clear ownership and responsibility in relation to software security remains a big challenge, and just 11 percent say they have adequately addressed the need for developer education. Software security is a boardroom issue according to 57 percent of respondents, it's a matter of business risk.
So if 92% are admitting to having trouble the other 8% are just lying to themselves and others about it.
Security is ALWAYS a struggle and if you are committed to creating secure software and systems you will soon realize that you can never really call the security job done. So, if you are saying you have arrived, your security efforts have been successful, you are either out of business or you are destine to fail in your task because you quit working on it, having arrived.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Devops was not designed to bridge the collaboration gap between developer and operations. It was designed to bridge the hiring gap. Fully staffed ops teams are a rarity, as are fully staffed dev teams. If you can make either do both, you can report to your leadership that youre no longer overstaffed, and are surprisingly at or below budget for headcount.
secops are already a thing. The only thing silly-con valley needs to convince the industry now is that some sort of dev/sec/ops monster is not only a real position, but employable at a fraction of the rate of either 3 roles.
Good people go to bed earlier.