BIoT Canada

HPE calls for tighter integration between security and DevOps teams

October 25, 2016  

Print this page

Hewlett Packard Enterprise (HPE) today published the Application Security and DevOps Report 2016, a new research study highlighting the critical need for closer integration between organizations’ security and DevOps teams.

The HPE report examines the challenges many organizations face in integrating security across DevOps, and provides recommendations to strengthen these programs.

According to the findings, which are based on both quantitative and qualitative responses from IT operations professionals, security leaders, and developers, 99% of all respondents agree that adopting a DevOps culture has the opportunity to improve application security. However, only 20% are doing application security testing during development, and 17% are not using any technologies to protect their applications, highlighting a significant disconnect between the perception and reality of secure DevOps.

“Our research shows that both security leaders and developers believe that the DevOps movement has the potential to significantly improve application security, but organizations are struggling to realize that potential so far,” said Jason Schmitt, vice president and general manager, HPE Security Fortify, Hewlett Packard Enterprise.

“By understanding the current state of DevOps and best practices for integrating security into the development culture, organizations can successfully secure software in this new DevOps world without impeding the speed and agility that it brings.”

According to the report, DevOps presents tremendous promise for more secure software development, as organizations can potentially find and remediate vulnerabilities more frequently and earlier in the application lifecycle, saving cost and time. However, the found key barriers and gaps preventing organizations from successfully integrating security and DevOps, including:

  • Organizational barriers between security professionals and developers. The report reflected a significant disconnect between developers and security teams – and in some cases, respondents admitted to not even knowing their security teams. This led to 90% of security professionals stating that integrating application security has become more difficult since their organizations deployed DevOps.
  • Lack of security awareness, emphasis, and training for developers. Out of more than 100 job postings for software developers at Fortune 1000 companies, none specified security or secure coding experience and knowledge as part of the skills required.1
  • Shortage of application security talent. For every 80 developers in the organizations surveyed, there is only one application security professional.1 The lack of security personnel, along with the increasingly rapid development cycle make secure development extremely difficult.