Hewlett Packard Enterprise Security Research Highlights Gap Between Perception and Reality for Secure DevOps
Application Security and DevOps Report 2016 emphasizes importance of aligning security and DevOps
PALO ALTO, Calif., October 25, 2016 – Hewlett Packard Enterprise (HPE) today published the Application Security and DevOps Report 2016, a new research study highlighting the critical need for closer integration between organizations’ security and DevOps teams.
The HPE report closely examines the challenges many organizations face in integrating security across DevOps, and provides recommendations to strengthen these programs. According to the report, which included both quantitative and qualitative responses from IT operations professionals, security leaders, and developers, 99 percent of all respondents agree that adopting a DevOps culture has the opportunity to improve application security.1 However, only 20 percent are doing application security testing during development, and 17 percent are not using any technologies to protect their applications, highlighting a significant disconnect between the perception and reality of secure DevOps.1
“Our research shows that both security leaders and developers believe that the DevOps movement has the potential to significantly improve application security, but organizations are struggling to realize that potential so far,” said Jason Schmitt (@raidschmitt), vice president and general manager, HPE Security Fortify, Hewlett Packard Enterprise. “By understanding the current state of DevOps and best practices for integrating security into the development culture, organizations can successfully secure software in this new DevOps world without impeding the speed and agility that it brings.”
DevOps presents tremendous promise for more secure software development, as organizations can potentially find and remediate vulnerabilities more frequently and earlier in the application lifecycle, saving cost and time. However, the Application Security and DevOps Report 2016 found key barriers and gaps preventing organizations from successfully integrating security and DevOps, including:
- Organizational barriers between security professionals and developers. The report reflected a significant disconnect between developers and security teams – and in some cases, respondents admitted to not even knowing their security teams. This led to 90 percent of security professionals stating that integrating application security has become more difficult since their organizations deployed DevOps.1
- Lack of security awareness, emphasis, and training for developers. Out of more than 100 job postings for software developers at Fortune 1000 companies, none specified security or secure coding experience and knowledge as part of the skills required.1
- Shortage of application security talent. For every 80 developers in the organizations surveyed, there is only one application security professional.1 The lack of security personnel, along with the increasingly rapid development cycle make secure development extremely difficult.
“Adopting a DevOps process can help make applications more secure, since the development and production environment are built the same way and to the same security standards and testing,” said John Meakin, Group Information Security Officer, Burberry (@Burberry). “However, it requires a commitment across the organization to prioritize security, and incorporate more automated testing solutions that make it easier to gather real-time feedback and remediate vulnerabilities throughout the development process.”
Recommendations for Secure Application Development
As organizations continue to adopt DevOps culture, the report offers recommendations to bring down barriers for secure application development, and better integrate security with DevOps teams, including:
- Security should be a shared responsibility across the organization to eliminate barriers. Security must be imbedded throughout every stage of the development process, with executive support and metrics to hold teams accountable for secure development. These metrics should focus on mean-time-to-triage (MTTT), mean-time-to-fix (MTTF), and program compliance.
- Bridge awareness, emphasis, and training gaps by making it seamless and more intuitive for developers to practice secure development. Organizations should integrate security tools into the development ecosystem, such as HPE Fortify Security Assistant, to allow developers to find and fix vulnerabilities in real-time as they write code. This makes it easy and efficient to develop securely, and educates the developer on secure coding in the process.
- Leverage automation and analytics as application security force multipliers. Organizations should leverage enterprise-grade application security automation with analytics built in, such as the machine learning capability of HPE Fortify Scan Analytics, to automate the application security testing audit process and allow their application security professionals to focus only on the highest priority risks. This reduces the number of security issues that require manual review, saving both time and resources, while lowering overall risk exposure.
The recently launched HPE Fortify Ecosystem enables organizations to fully integrate security into the DevOps tool chain by allowing developers to seamlessly and intuitively test and secure applications during the software development lifecycle.
The Application Security and DevOps Report 2016 leverages data and analysis from HPE Security teams, industry leaders, enterprises, and developers to deliver key insights on the multiple gaps and barriers between the promise and reality of Secure DevOps.
About HPE Security
HPE Security helps organizations protect their business-critical digital assets by building security into the fabric of the enterprise, detecting and responding to advanced threats, and safeguarding continuity and compliance to effectively mitigate risk. With an integrated suite of market-leading products, services, threat intelligence and security research, HPE Security empowers organizations to balance protection with innovation to keep pace with today’s idea economy. Find out more about HPE Security at https://www.hpe.com/us/en/solutions/protect-digital.html.
Join HPE Software on LinkedIn and follow @HPE_Software on Twitter. To learn more about HPE Enterprise Security products and services on Twitter, please follow @HPE_Security and join HPE Enterprise Security on LinkedIn.
About Hewlett Packard Enterprise
Hewlett Packard Enterprise is an industry-leading technology company that enables customers to go further, faster. With the industry’s most comprehensive portfolio, spanning the cloud to the data center to workplace applications, our technology and services help customers around the world make IT more efficient, more productive and more secure.
(1) HPE Application Security and DevOps Report 2016
This document contains forward-looking statements within the meaning of the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. Such statements involve risks, uncertainties and assumptions. If such risks or uncertainties materialize or such assumptions prove incorrect, the results of Hewlett Packard Enterprise could differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements, including any statements of the plans, strategies and objectives of Hewlett Packard Enterprise for future operations; other statements of expectation or belief; and any statements of assumptions underlying any of the foregoing. Risks, uncertainties and assumptions include the possibility that expected benefits may not materialize as expected and other risks that are described in Hewlett Packard Enterprise’s filings with the Securities and Exchange Commission, including but not limited to the risks described in Hewlett Packard Enterprise’s Registration Statement on Form 10 dated July 1, 2015, as amended August 10, 2015, September 4, 2015, September 15, 2015, September 28, 2015 and October 7, 2015. Hewlett Packard Enterprise assumes no obligation and does not intend to update these forward-looking statements.