Organizations seeking way to balance development agility with application security
LEHI, UT (July 19, 2017) — DigiCert, a global leader in scalable identity and encryption solutions for enterprise and Internet of Things (IoT) security, today announced the results of its 2017 “Inviting Security into DevOps Survey,” which reveals that 98 percent of enterprises are integrating their security teams into their existing DevOps methodologies. Or, at least they’re trying to.
Their goal is to increase information security, IT agility and development agility. However, they face several challenges, including the amount of time required, and cultural differences among the security, IT and DevOps roles.
“Going faster introduces security risks, while maximizing security often slows things down,” said Dan Timpson, Chief Technology Officer at DigiCert. “The market is at a tipping point and enterprises are looking for solutions to minimize the time that it takes to integrate and to help security better fit within DevOps workflows.”
49 percent are in the process of doing so, and 49 percent have completed their efforts. Those who have integrated security into DevOps report improvements to both development agility and information security, contrary to the common belief that security and agility cannot coexist. Additionally, they are:
- 22 percent more likely to report they are doing well with information security
- 21 percent more likely to report doing well meeting app delivery deadlines
- 21 percent more likely to report doing well lowering app risk
Repercussions of the Status Quo
Agile security is on the minds of enterprises with 88 percent of respondents saying it is somewhat to extremely important to integrate security into DevOps. They worry that failure to do so will lead to problems including:
- Increased costs (78 percent)
- Slower app delivery (73 percent)
- Increased security risks (71 percent)
Respondents also admit the process is not easy, although the obstacles vary depending on where an organization is in the process.
Before making the transition, enterprises predict the top challenges will be that:
- The organization structure prohibits integration
- They lack a champion for the transition
- The security team doesn’t really work well in a team environment
For those organizations looking back after integrating security, the biggest roadblocks turned out to be:
- Takes too much time
- Security team resists the change
- Lack of relationship skills required to bring the two teams together
Note the top challenge cited after integrating was that the transition took too long. Technical teams underestimate the challenge of integrating security into DevOps, thinking the integration will take less than a year (seven to 11 months). Those who claim to have completed the process say it took roughly twice as long—on average one to two years.
The DigiCert 2017 Inviting Security into DevOps survey points to four best practices to help balance development agility and information security to help create a predictable and reliable process:
- Appoint a Social Leader
Identify a champion to drive cultural change including defining IT, security, DevOps roles and integrating teams.
- Bring Security to the Table
Place a security lead on all DevOps initiatives and involve them from the beginning. Limit access, sign and encrypt everything within the network using automated PKI.
- Invest in Automation
Automate baseline security practices within DevOps workflow, including: certificate management, patching, vulnerability scanning, static code analysis.
- Integrate and Standardize
Implement controls on certificate management processes and integrate with server configuration and orchestration platforms to enable automated security behind the scenes.
“Agility and security are not mutually exclusive, and integration requires a combination of technology improvements, and a cultural shift in how technical staff is aligned,” said DigiCert Chief Security Officer Jason Sabin. “The DevOps methodology is not just a method for increasing speed, but about improving efficiency, quality control and predictability in development outcomes. The right integration of security staff and technology, including digital certificates, can improve organizational metrics, avoid costly delays and improve the end-user experience.”
Read the full survey report.
About the Research
DigiCert commissioned ReRez Research of Dallas, Texas to survey large organizations in the U.S. during May 2017. The survey included 300 senior managers in total, split evenly between IT, DevOps and Security management roles.
About DigiCert, Inc.
DigiCert is a leading provider of scalable security solutions for a connected world. The most innovative companies, including the Global 2000, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports SSL/TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management platform, CertCentral®. The company has been recognized with dozens of awards for its enterprise-grade management platform, fast and knowledgeable customer support, and market-leading growth. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.