New research revealed that consistent practice of secure development and operations (DevOps) remains a challenge for organizations across industries. Only half of DevOps teams integrate application security testing elements in continuous integration and continuous delivery (CI/CD) workflows, despite widespread awareness of the advantages, according to a recent report.

The research revealed insight into the state of secure DevOps and perceived barriers. While chief information officers (CIOs) and leaders understand early testing is key to cost control and risk reduction, few teams are practicing secure DevOps in a way that meaningfully reduces risks.

Why Secure Digital Transformation Matters

Fifty percent of IT decision-makers across industries are currently using application security testing elements during the DevOps process. While adoption varies by industry, the research found only a 12 percent margin between the highest and lowest adopters by industry. High-tech industries lead with 56 percent adoption, while retail was ranked last at 44 percent integration of app security testing in CI/CD workflows. Most commonly, organizations rely on software analysis scanning solutions, dynamic analysis methodologies and third-party penetration testing when secure DevOps is practiced in the enterprise.

Despite lagging adoption, survey respondents revealed a strong awareness of the benefits of secure DevOps. According to the report, the potential benefits of including application testing in CI/CD workflows include:

  • Improved software quality
  • Meeting compliance and regulatory requirements
  • Reduced risk
  • Speed to release processes

Secure DevOps Is Failing to Translate

While awareness is strong among CIOs and other decision-makers, the reasons organizations are failing to translate it into consistent practice are varied. According to the report, respondents cited barriers that can be mapped to technology, process and talent.

When asked what the most significant challenges are, responses included:

  • Lack of “automated, integrated” security testing tools
  • Inconsistent approaches
  • Security testing “slows things down”
  • False positive results from testing solutions
  • Developer resistance

Three out of the top five responses have roots that are at least partially based in education, culture or awareness. Inconsistency, resistance and a belief that secure DevOps bogs down workflows may indicate at least some need for education, new ways of working or other shifts in thinking.

Is Tech the Root of the Problem?

Due to the close relationship between people, processes and technology in a DevOps environment, it’s likely technological barriers are contributing to negative human perceptions and developer resistance. The report put it simply: “Not all security tools are equal, and the less software testing tools can be integrated and automated into enterprise workflows, the less effective they will be in securing CI/CD pipelines.”

As CIOs consider how to optimize the risk, compliance and agility potential of secure DevOps, overcoming challenges may require smarter technology that fits seamlessly into existing CI/CD workflows. When security and third-party security testing contributes to an organization’s goals of software quality and rapid releases, it may be easier to overcome lingering cultural barriers to secure DevOps.

Balancing Risks and Rewards

Meeting compliance requirements for security by design and default within DevOps workflows may not be the ultimate consideration for CIOs. The most mature enterprises demonstrate significant awareness of the role of IT security in the digital transformation process, according to a Ponemon Institute report titled “Bridging the Digital Transformation Divide,” sponsored by IBM.

According to the Ponemon study, the best-of-breed organizations meet criteria like achieving “full alignment between IT security and lines of business” and developing a defined secure digital transformation strategy.

While achieving enterprise-wide change is never simple, CIOs must balance risk and reward on the road to greater organizational agility. The report found that failing to address transformation risks can directly result in data breaches. Seventy-four percent of IT security practitioners say it’s “likely” their organization experienced a cybersecurity incident in the past 12 months due to a lack of security in digital transformation processes.

Read the complete Ponemon Report: Bridging the Digital Transformation Divide

How Mature Organizations Approach Secure Transformation

High-performing organizations demonstrated greater confidence about their security processes, which is directly influenced by the attitudes and actions of senior management, according to the Ponemon study. When asked about leadership’s role in digital transformation, IT security practitioners from the most mature organizations agreed or strongly agreed with the following statements:

  • Investment in emerging security technologies is key, including automation, artificial intelligence (AI) and machine learning
  • Digital transformation creates security risks, which must be managed
  • Adequate funding for IT security is crucial to digital transformation processes
  • Securing digital assets is connected to “trust with customers and consumers”

Not Just a DevOps Problem

There’s a significant risk for enterprises that fail to adopt secure practices in digital transformation, including a failure to bridge the gap between awareness and practice of secure DevOps. These risks can include challenges associated with costly application rework, slower releases, noncompliance, security breaches and loss of consumer trust.

While many CIOs perceive significant barriers to adopting secure CI/CD workflows in DevOps, these challenges may be solved by smarter tools and third-party partnerships. Application testing solutions that increase efficiency and decrease false positives are likely to enable enterprises to unlock the benefits of secure CI/CD workflows while reducing human resistance.

However, the Ponemon study found that the solution to the secure DevOps crisis isn’t just technology. The gap between awareness and adoption may demonstrate insecure digital transformation and a need for leadership to support steps toward enterprise-wide maturity. By understanding that transformation creates risks, leaders can invest wisely in the right emerging technologies to secure digital assets and customer trust.

Read the complete Ponemon Report: Bridging the Digital Transformation Divide

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…