Learning from the masters of DevSecOps: Getting security right at scale

With the relentless 24/7 nature of the digital economy, many customers I talk to are under pressure to continually release and update their apps. Making this happen is a challenge in itself. But keeping those apps secure can be even more problematic – especially when security is left to the end of the development cycle.

That may seem an unlikely approach in today’s heightened IT security climate. But in my experience, it’s all too common. Under pressure to get their apps out fast, firms often compromise security.

It’s an issue underlined by research on app security, carried out by Freeform Dynamics with executives in large global businesses.

Only 20 percent of them strongly agree that their security testing is up to the demands of continual app development. And only 25 percent strongly agree they have a robust approach to continuously testing for security vulnerabilities.

At the same time, the threats due to mobile and web-based apps continues to grow – 74 percent say security threats due to software/code issues is a growing concern

The era of DevSecOps

So what is the path forward? Given the enormous security threats we now face, organisations must embed security into the very DNA of their software development processes. That means weaving it into every step of the development process: design, coding, release, operation and updating.

Ironically, business leaders know this. Almost all of them (91 percent) agree that making security a more integrated part of software development is a key priority. Some 76 percent believe it’s critical to integrate security practices earlier in the software development lifecycle. 

The evolving process for doing this, DevSecOps, however, it is not as straight-forward to implement as we’d all like.

As the name suggests, DevSecOps means “shifting left” and bringing security into the DevOps fold, so that security testing becomes a natural part of the development process. This puts pressure on an organisation’s people, processes and tools.

That probably explains why only about a third of executives (32 percent) say their IT function is “very effective” at integrating security into the software development cycle early on. And why only 24 percent strongly agree their firm’s culture and practices support the necessary collaboration between development, operations and security.

Most troubling: there may also be a lack of support for implementing DevSecOps at the top. Only 24 percent of respondents strongly agree that senior management understands the importance of not compromising security in favor of speed-to-market. This is truly an alarming statistic, and very surprising in this era of growing security breaches associated with mobile and web-based apps.

Look to the masters

Despite these barriers, the research identified a group of businesses that excel at DevSecOps practices. These ‘Software Security Masters’ represent about 34 percent of the businesses surveyed, globally.

Not only do these firms make security an implicit part of how they work, they take a much broader view of security than their peers. A full 45 percent of the masters strongly agree that security is an enabler of new business opportunities in addition to helping protect a company’s data and systems, versus only 19 percent of their peers in the “mainstream”. As an executive at one such organisation explains: “We work with security early on, so that we’re not architecting in security flaws.”

Not surprisingly, the study found that the masters are also seeing significant business benefits as compared to the mainstream:

  • Accelerated time-to-market: Masters are 2.6x more likely to say their security testing can keep up with the demand to release frequent app updates
  • Improved competitive advantage: Masters are 2.5x more likely to say they are moving fast enough to out-pace their competitors
  • Healthier top and bottom lines:  Masters have a 40 percent higher rate of revenue growth and a 50 percent higher rate of profit growth than their peers in the mainstream

The business case for DevSecOps couldn’t be clearer. It drives business performance because, in the words of another of our masters, “security cannot be an afterthought”.