In a glaring indication of businesses not integrating cyber-security into their IT infrastructure as urgently as they are adopting new technology solutions, new research has found that while 88 percent of UK businesses have either adopted a DevOps approach or plan to adopt one in the next couple of years, less than one in five businesses are confident in their ability to mature their DevOps approaches into DevSecOps ones.
With almost every business operating in the UK using digital means to sell their products, interact with customers, run membership programmes, accept online payments, and provide fee-based services, nearly half of all businesses in the country have adopted DevOps approaches to streamline the adoption of automation technologies, create an IT infrastructure, build enterprise applications, and to allow teams within an organisation to communicate with each other more efficiently.
Thanks to the adoption of DevOps approaches, organisations are able to churn out hundreds of new applications either for their staff or their customers every year, maintain databases in cloud platforms that can be accessed from anywhere, and enable departments to share data and collaborate on new projects.
However, with the cyber-threat environment posing increasing challenges to organisations with many of such threats becoming difficult to track or manage, organisations are now taking steps to mature their DevOps approaches into DevSecOps ones by integrating security into their IT infrastructure. While this is a welcome move, the migration from DevOps to DevSecOps is not occurring fast enough to respond to emerging cyber-threats.
A survey commissioned by technology services provider Claranet has found that while 88 percent of UK businesses have either adopted a DevOps approach or plan to adopt one in the next couple of years, less than one in five businesses are confident in their ability to embed and automate security best practices into the entire DevOps lifecycle.
What this means is that an overwhelming majority of UK businesses will continue to remain vulnerable to cyber-threats that persist due to prevailing weaknesses in IT infrastructure, cloud applications, IoT environments, and endpoint security solutions deployed across thousands of organisations across the UK.
What's also worrying about this statistic is that while only 19 percent of UK businesses are confident about integrating security into their DevOps approaches, over half of all businesses in the United States (52 percent) are confident in their ability to do so, even though the latter figure cannot be treated as a benchmark.
Sumit Sidharth, director at NotSoSecure, said that even though there is an urgent need for organisations to effectively transition to a DevSecOps approach, the process of migrating from DevOps to DevSecOps is, in reality, a complex process that could take a long time to achieve.
"Working out how to implement and automate application security – such as continuous monitoring and static analysis – within existing CI/CD pipelines takes time and effort, so it’s important that organisations receive in-depth guidance in how to make this happen. Furthermore, newer approaches to security testing, such as continuous security testing, need to be used to ensure any testing approach is keeping up with the rate of change DevOps approaches allow for," he said.
What should motivate organisations to consider migrating to DevSecOps is that the lack of security in their DevOps approaches is already being exploited to the hilt by cyber-criminals. Earlier this month, research by Sonatype found that open source breaches, that involve hackers exploiting vulnerabilities in open source components deployed by organisations, increased by 71 percent over the last five years, while 26 percent of companies suffered web application breaches in the past year alone.
When surveying IT security professionals, Sonatype learned that 81 percent of organisations with elite DevSecOps programmes had a cyber-security response plan in place compared to 62 percent of those who didn't have such programmes. 62 percent of companies with DevSecOps programmes also had open source governance programmes in place compared to 25 percent of companies who didn't have DevSecOps programmes.
"We must all recognise security is a living thing and organisations should be prepared to prevent and respond to breaches at any moment within their application lifecycle. It is difficult to imagine proper cyber-security hygiene and sufficient preparations for a breach without DevSecOps in place," says Hasan Yasar, technical manager at Carnegie Mellon’s Software Engineering Institute.
"Every organisation with a DevOps framework should evolve towards a DevSecOps mindset. The objective is to treat security as a core component throughout the software delivery pipeline as opposed to thinking of it as an afterthought. As security threats continue to evolve it's easy to see the value of evolving towards DevSecOps," added Shawn Ahmed, vice president of product marketing at CloudBees.