Cybersecurity is a constantly evolving — and growing — challenge that puts everybody and everything at risk in the increasingly all-digital world. As a result, it is a process, not a one-time solution, one in which applications play a critical role, and that means DevOps has to be part of the solution, and not the problem. Unfortunately, that’s not the case, according to Application Security and DevOps Report 2016, a new survey from Hewlett Packard Enterprise.
The intent of the survey was to validate third-party research about the need for closer integration between security and DevOps teams, “to better understand with primary research what that looks like,” said Scott Johnson, Director of Product Management, HPE Security Fortify, Hewlett Packard Enterprise. The results were concerning, he told IT Trends & Analysis.
It came as no surprise that almost 100% agreed that integrating DevOps can help security; surprisingly, only 20% were doing that, and “about 17% weren’t doing anything at all”.
Some of the findings illustrated the issue:
-organizational barriers between security professionals and developers: there’s a significant disconnect between developers and security teams, and 90% of security professionals stated that integrating application security has become more difficult since deploying DevOps;
-lack of security awareness, emphasis, and training for developers: out of more than 100 job postings for software developers at Fortune 1000 companies, none specified security or secure coding experience or knowledge as part of the skills required; and,
-shortage of application security talent: for every 80 developers in the organizations, there is only one application security professional.
In addition to the fact that more organizations weren’t doing appsec Johnson noted “the speed with which customers are releasing their apps.” In 2010 organizations averaged 4 releases per app per year; that’s expected to explode to more than 100 releases per app by the end of the decade, he said.
Another key finding was around automation; the adoption wasn’t the surprise, but the breadth of tools “that people are using was a really interesting takeaway for us.” Organizations are at different stages and “there is a broad set of tools in a number of different categories.”
It’s no surprise that cybersecurity, appsec and DevOps is top of mind for HPE. Global annual cybercrime costs are expected to double from $3 trillion in 2015 to $6 trillion by 2021.
That attracts a lot of attention, especially from the ‘Bad Guys’ — everyone from hacktivists, cybercriminals and rogue governments (not to be confused with the good governments, which only spy on us for our benefit) to careless or malicious employees. It also means the new and improved security measures are only as effective as the people who use them (which means you’re in real trouble: 95% of all security breaches were caused by human error), and until the Bad Guys come up with ways to defeat them.
Of even greater concern: by 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year. Equally as worrisome: a bad digital experience negatively impacts the future buying behavior of more than 90% of customers.
There is a lot of money being spent on cybersecurity, and the annual amount is growing more than 5X overall IT spending (compound annual growth rate of 8.3% through 2020, versus 0.9% in 2016 (to $3.4 trillion) and up to $3.8 trillion by 2020). However, throwing money at cybersecurity doesn’t address the biggest threat, people: 95% of all security breaches were caused by human error.
People also factor into another cybersecurity challenge, the skills shortage. According to a new survey, more than half of cybersecurity professionals (56%) say they aren’t receiving the right level of skills development to address the rapidly evolving threat landscape. “This research paints an escalating and dangerous game of cyber security ‘cat and mouse’ and today’s cyber security professionals reside on the front line of this perpetual battle, often knowing they are undermanned, underskilled and undersupported for the fight,” said Jon Oltsik, Senior Principal Analyst, Enterprise Strategy Group (ESG).
HPE recommends that security should be a shared responsibility across the organization to eliminate barriers, and must be imbedded throughout every stage of the development process, with executive support and metrics to hold teams accountable for secure development. These metrics should focus on mean-time-to-triage (MTTT), mean-time-to-fix (MTTF), and program compliance.
Other recommendations include bridging awareness, emphasis, and training gaps by making it seamless and more intuitive for developers to practice secure development, and by integrating security tools into the development ecosystem, In addition, organizations should leverage automation and analytics as application security force multipliers.
Organizations need to start with understanding and realizing that appsec needs to be part of the development culture, said Johnson. That’s not the current situation, and he believes that’s why everything is taking longer than expected.
An integrated DevOps/appsec approach starts with a top-down approach, with C-level involvement, he said. But it also requires at the same time you have to work from the bottom up. And you have to provide them with the tools; “that’s a big part of what we’re enabling at Fortify.”