New research revealed that consistent practice of secure development and operations (DevOps) remains a challenge for organizations across industries. Only half of DevOps teams integrate application security testing elements in continuous integration and continuous delivery (CI/CD) workflows, despite widespread awareness of the advantages, according to a recent report.

The research revealed insight into the state of secure DevOps and perceived barriers. While chief information officers (CIOs) and leaders understand early testing is key to cost control and risk reduction, few teams are practicing secure DevOps in a way that meaningfully reduces risks.

Why Secure Digital Transformation Matters

Fifty percent of IT decision-makers across industries are currently using application security testing elements during the DevOps process. While adoption varies by industry, the research found only a 12 percent margin between the highest and lowest adopters by industry. High-tech industries lead with 56 percent adoption, while retail was ranked last at 44 percent integration of app security testing in CI/CD workflows. Most commonly, organizations rely on software analysis scanning solutions, dynamic analysis methodologies and third-party penetration testing when secure DevOps is practiced in the enterprise.

Despite lagging adoption, survey respondents revealed a strong awareness of the benefits of secure DevOps. According to the report, the potential benefits of including application testing in CI/CD workflows include:

  • Improved software quality
  • Meeting compliance and regulatory requirements
  • Reduced risk
  • Speed to release processes

Secure DevOps Is Failing to Translate

While awareness is strong among CIOs and other decision-makers, the reasons organizations are failing to translate it into consistent practice are varied. According to the report, respondents cited barriers that can be mapped to technology, process and talent.

When asked what the most significant challenges are, responses included:

  • Lack of “automated, integrated” security testing tools
  • Inconsistent approaches
  • Security testing “slows things down”
  • False positive results from testing solutions
  • Developer resistance

Three out of the top five responses have roots that are at least partially based in education, culture or awareness. Inconsistency, resistance and a belief that secure DevOps bogs down workflows may indicate at least some need for education, new ways of working or other shifts in thinking.

Is Tech the Root of the Problem?

Due to the close relationship between people, processes and technology in a DevOps environment, it’s likely technological barriers are contributing to negative human perceptions and developer resistance. The report put it simply: “Not all security tools are equal, and the less software testing tools can be integrated and automated into enterprise workflows, the less effective they will be in securing CI/CD pipelines.”

As CIOs consider how to optimize the risk, compliance and agility potential of secure DevOps, overcoming challenges may require smarter technology that fits seamlessly into existing CI/CD workflows. When security and third-party security testing contributes to an organization’s goals of software quality and rapid releases, it may be easier to overcome lingering cultural barriers to secure DevOps.

Balancing Risks and Rewards

Meeting compliance requirements for security by design and default within DevOps workflows may not be the ultimate consideration for CIOs. The most mature enterprises demonstrate significant awareness of the role of IT security in the digital transformation process, according to a Ponemon Institute report titled “Bridging the Digital Transformation Divide,” sponsored by IBM.

According to the Ponemon study, the best-of-breed organizations meet criteria like achieving “full alignment between IT security and lines of business” and developing a defined secure digital transformation strategy.

While achieving enterprise-wide change is never simple, CIOs must balance risk and reward on the road to greater organizational agility. The report found that failing to address transformation risks can directly result in data breaches. Seventy-four percent of IT security practitioners say it’s “likely” their organization experienced a cybersecurity incident in the past 12 months due to a lack of security in digital transformation processes.

Read the complete Ponemon Report: Bridging the Digital Transformation Divide

How Mature Organizations Approach Secure Transformation

High-performing organizations demonstrated greater confidence about their security processes, which is directly influenced by the attitudes and actions of senior management, according to the Ponemon study. When asked about leadership’s role in digital transformation, IT security practitioners from the most mature organizations agreed or strongly agreed with the following statements:

  • Investment in emerging security technologies is key, including automation, artificial intelligence (AI) and machine learning
  • Digital transformation creates security risks, which must be managed
  • Adequate funding for IT security is crucial to digital transformation processes
  • Securing digital assets is connected to “trust with customers and consumers”

Not Just a DevOps Problem

There’s a significant risk for enterprises that fail to adopt secure practices in digital transformation, including a failure to bridge the gap between awareness and practice of secure DevOps. These risks can include challenges associated with costly application rework, slower releases, noncompliance, security breaches and loss of consumer trust.

While many CIOs perceive significant barriers to adopting secure CI/CD workflows in DevOps, these challenges may be solved by smarter tools and third-party partnerships. Application testing solutions that increase efficiency and decrease false positives are likely to enable enterprises to unlock the benefits of secure CI/CD workflows while reducing human resistance.

However, the Ponemon study found that the solution to the secure DevOps crisis isn’t just technology. The gap between awareness and adoption may demonstrate insecure digital transformation and a need for leadership to support steps toward enterprise-wide maturity. By understanding that transformation creates risks, leaders can invest wisely in the right emerging technologies to secure digital assets and customer trust.

Read the complete Ponemon Report: Bridging the Digital Transformation Divide

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read