Five ways to improve security in the software delivery lifecycle
- The more security is integrated into the software delivery lifecycle, the more delivery teams see security as a shared responsibility.
- The ability to remediate critical security vulnerabilities within one day is lowest for Singapore (13%).
- There is huge potential for Asia to finetune its security practices and/or processes around containers.
Organisations in Asia Pacific and Japan may know that poor security practices are costly, but many are only focusing on remediation after a breach occurs.
Puppet, which automates the delivery and operation of software that powers everything around us, shared this finding from the 2019 State of DevOps Report among others on Asia. This year’s report, written by Puppet, CircleCI and Splunk, reveals the importance of DevOps culture in driving positive security outcomes and posture.
The 2019 State of DevOps Report highlighted patterns and practices that help organisations integrate security into the software development lifecycle. It found that teams at higher levels of DevOps evolution have automated their security policies, and they involve security experts in their organisations very early in the software development process – from the planning and design phases.
In Asia, only 30% of firms have reached a significant or full security integration, compared to 38% in Australia and New Zealand (ANZ), 43% in Europe and 38% in the Americas. These organisations had achieved not only the ability to ensure customer data stays safe but also faster product delivery to market.
Some of the key findings in Asia:
Security doesn’t have to take a back seat to feature delivery
Globally, firms at the highest level of security integration are able to deploy to production on demand at a significantly higher rate than firms at all other levels of integration — 61% are able to do so. Compare this with organisations that have not integrated security at all: fewer than half (49%) can deploy on demand.
In Asia, it was found that respondents were less likely to involve their security function when there is an ad hoc reported issue in production, during the requirements phase of the delivery cycle and the design phase of the delivery cycle as compared to their counterparts in Europe, the Americas, and ANZ. A likely reason could be due to the silo between security and development or that operations is greater in Asia than in other areas.
Cross-team collaboration builds confidence in an organisation’s security posture
Globally, 82% of survey respondents at firms with the highest level of security integration said their security policies and practices significantly improve their firm’s security posture. Compare this with respondents at firms with no security integration — 38% percent had that level of confidence.
For organisations at any level of security integration, only about half of those that can deploy to production on demand actually do deploy on demand. They are roughly equally limited by their business needs and their technology and processes. This is consistent in Asia where more than half said that they are limited by their business needs (58%) and technology and processes (57%).
Time to remediate vulnerabilities did not dramatically decrease at higher levels of security integration
However, it did decrease slightly. Globally, very few respondents are able to remediate vulnerabilities in less than one hour. Only 4% in Asia are able to remediate a critical vulnerability in less than one hour compared to 9% in Europe and 7% globally. In Asia, 41% of respondents are able to remediate in one day to less than one week compared to 33% of global respondents and 30% in Europe. The ability to remediate critical security vulnerabilities is lowest for Singapore (13%).
One reason for this might be automation. In Singapore, there is still a relatively low degree of automation as compared to other regions. The ability to remediate critical security vulnerabilities within a day is highly dependent upon a strong degree of automation, team autonomy and change processes that are as lightweight as possible.
The more security is integrated into the software delivery lifecycle, the more delivery teams see security as a shared responsibility
Globally, firms integrating security throughout the lifecycle are more than twice as likely to be able to stop a push to production for a medium security vulnerability to ensure their customers are protected from the risk or releasing code that isn’t secure. France, Singapore and Australia/New Zealand are doing marginally more to integrate security in the planning, design and development phases, but differences across geographies are minimal.
There is huge potential for Asia to finetune its security practices and/or processes around containers
Asia has a relatively high instance of containerised images with Singapore leading the pack at 73%, the highest globally compared to only 33% in the Americas. There are new security concerns when developers start adopting containers en masse within an organisation and security practices and processes are still in their infancy stages.
“This report shows that integrating security from the earliest stages of software development is essential and drives business value,” said Nigel Kersten, Field CTO of Puppet.
“The DevOps principles that drive positive outcomes for software development - culture, automation, measurement and sharing - are the same principles that drive security outcomes. We hope that this report can shed light for organisations in Singapore and the Asia region as they experiment with their existing team structure and prove that a new model can work without a major overhaul of the company to keep data safe and get products to market faster.”
“It shouldn’t be a surprise to anyone that integrating security into the software delivery lifecycle requires intentional effort and deep collaboration across teams,” said Michael Stahnke, VP of Platform, CircleCI. CircleCI is the world’s largest shared continuous integration and continuous delivery (CI/CD) platform, and has an office in Tokyo, Japan.
“What did surprise me, however, was that the practices that promote cross-team collaboration had the biggest impact on the teams’ confidence in the organisation’s security posture. Turns out, empathy and trust aren’t automatable.”
“This year’s report reinforces Splunk’s belief on how important it is to take a collaborative and integrated approach to service delivery,” said Andi Mann, Chief Technology Advocate, Splunk.
“The 2019 State of DevOps Report proves that aligning development, IT operations, SRE, incident response, security, and business analytics teams across organisations enables all stakeholders to deliver improved, more secure software services.” SRE stands for site reliability engineering.
Puppet also shared five best practices on how organisations can improve their security postures:
- Security and development teams need to collaborate on threat models.
- Security tools should be integrated in the development integration pipeline so that software engineers can be confident they’re not inadvertently introducing known security problems into their code bases.
- Security requirements, both functional and non-functional, should be prioritised as part of the product backlog.
- Security experts should evaluate automated tests, and review changes in high-risk areas of the code. Examples of such areas include authentication systems and cryptography.
- Infrastructure-related security policies should be reviewed before deployment.
Explore:
The 2019 State of DevOps deep-dives into how organisations can address security effectively. Download the report here.
*The survey collected data from technical professionals with a working knowledge of their IT operations and software delivery process. A third-party research firm, OnResearch, hosted the survey and conducted the data analysis. The resulting report was written by Puppet, CircleCI and Splunk. Splunk participation involved providing analysis and commentary to the report findings. All other opinions and writings in the report were completed by Puppet and CircleCI.
- The ability to remediate critical security vulnerabilities within one day is lowest for Singapore (13%).
- There is huge potential for Asia to finetune its security practices and/or processes around containers.
 |
| Source: Puppet. Cover for the State of DevOps Report 2019. |
Organisations in Asia Pacific and Japan may know that poor security practices are costly, but many are only focusing on remediation after a breach occurs.
Puppet, which automates the delivery and operation of software that powers everything around us, shared this finding from the 2019 State of DevOps Report among others on Asia. This year’s report, written by Puppet, CircleCI and Splunk, reveals the importance of DevOps culture in driving positive security outcomes and posture.
The 2019 State of DevOps Report highlighted patterns and practices that help organisations integrate security into the software development lifecycle. It found that teams at higher levels of DevOps evolution have automated their security policies, and they involve security experts in their organisations very early in the software development process – from the planning and design phases.
In Asia, only 30% of firms have reached a significant or full security integration, compared to 38% in Australia and New Zealand (ANZ), 43% in Europe and 38% in the Americas. These organisations had achieved not only the ability to ensure customer data stays safe but also faster product delivery to market.
Some of the key findings in Asia:
Security doesn’t have to take a back seat to feature delivery
Globally, firms at the highest level of security integration are able to deploy to production on demand at a significantly higher rate than firms at all other levels of integration — 61% are able to do so. Compare this with organisations that have not integrated security at all: fewer than half (49%) can deploy on demand.
In Asia, it was found that respondents were less likely to involve their security function when there is an ad hoc reported issue in production, during the requirements phase of the delivery cycle and the design phase of the delivery cycle as compared to their counterparts in Europe, the Americas, and ANZ. A likely reason could be due to the silo between security and development or that operations is greater in Asia than in other areas.
Cross-team collaboration builds confidence in an organisation’s security posture
Globally, 82% of survey respondents at firms with the highest level of security integration said their security policies and practices significantly improve their firm’s security posture. Compare this with respondents at firms with no security integration — 38% percent had that level of confidence.
For organisations at any level of security integration, only about half of those that can deploy to production on demand actually do deploy on demand. They are roughly equally limited by their business needs and their technology and processes. This is consistent in Asia where more than half said that they are limited by their business needs (58%) and technology and processes (57%).
Time to remediate vulnerabilities did not dramatically decrease at higher levels of security integration
However, it did decrease slightly. Globally, very few respondents are able to remediate vulnerabilities in less than one hour. Only 4% in Asia are able to remediate a critical vulnerability in less than one hour compared to 9% in Europe and 7% globally. In Asia, 41% of respondents are able to remediate in one day to less than one week compared to 33% of global respondents and 30% in Europe. The ability to remediate critical security vulnerabilities is lowest for Singapore (13%).
One reason for this might be automation. In Singapore, there is still a relatively low degree of automation as compared to other regions. The ability to remediate critical security vulnerabilities within a day is highly dependent upon a strong degree of automation, team autonomy and change processes that are as lightweight as possible.
The more security is integrated into the software delivery lifecycle, the more delivery teams see security as a shared responsibility
Globally, firms integrating security throughout the lifecycle are more than twice as likely to be able to stop a push to production for a medium security vulnerability to ensure their customers are protected from the risk or releasing code that isn’t secure. France, Singapore and Australia/New Zealand are doing marginally more to integrate security in the planning, design and development phases, but differences across geographies are minimal.
There is huge potential for Asia to finetune its security practices and/or processes around containers
Asia has a relatively high instance of containerised images with Singapore leading the pack at 73%, the highest globally compared to only 33% in the Americas. There are new security concerns when developers start adopting containers en masse within an organisation and security practices and processes are still in their infancy stages.
“This report shows that integrating security from the earliest stages of software development is essential and drives business value,” said Nigel Kersten, Field CTO of Puppet.
“The DevOps principles that drive positive outcomes for software development - culture, automation, measurement and sharing - are the same principles that drive security outcomes. We hope that this report can shed light for organisations in Singapore and the Asia region as they experiment with their existing team structure and prove that a new model can work without a major overhaul of the company to keep data safe and get products to market faster.”
“It shouldn’t be a surprise to anyone that integrating security into the software delivery lifecycle requires intentional effort and deep collaboration across teams,” said Michael Stahnke, VP of Platform, CircleCI. CircleCI is the world’s largest shared continuous integration and continuous delivery (CI/CD) platform, and has an office in Tokyo, Japan.
“What did surprise me, however, was that the practices that promote cross-team collaboration had the biggest impact on the teams’ confidence in the organisation’s security posture. Turns out, empathy and trust aren’t automatable.”
“This year’s report reinforces Splunk’s belief on how important it is to take a collaborative and integrated approach to service delivery,” said Andi Mann, Chief Technology Advocate, Splunk.
“The 2019 State of DevOps Report proves that aligning development, IT operations, SRE, incident response, security, and business analytics teams across organisations enables all stakeholders to deliver improved, more secure software services.” SRE stands for site reliability engineering.
Puppet also shared five best practices on how organisations can improve their security postures:
- Security and development teams need to collaborate on threat models.
- Security tools should be integrated in the development integration pipeline so that software engineers can be confident they’re not inadvertently introducing known security problems into their code bases.
- Security requirements, both functional and non-functional, should be prioritised as part of the product backlog.
- Security experts should evaluate automated tests, and review changes in high-risk areas of the code. Examples of such areas include authentication systems and cryptography.
- Infrastructure-related security policies should be reviewed before deployment.
Explore:
The 2019 State of DevOps deep-dives into how organisations can address security effectively. Download the report here.
*The survey collected data from technical professionals with a working knowledge of their IT operations and software delivery process. A third-party research firm, OnResearch, hosted the survey and conducted the data analysis. The resulting report was written by Puppet, CircleCI and Splunk. Splunk participation involved providing analysis and commentary to the report findings. All other opinions and writings in the report were completed by Puppet and CircleCI.
Comments
Post a Comment