June 11, 2018 By Jasmine Henry 4 min read

New research revealed that consistent practice of secure development and operations (DevOps) remains a challenge for organizations across industries. Only half of DevOps teams integrate application security testing elements in continuous integration and continuous delivery (CI/CD) workflows, despite widespread awareness of the advantages, according to a recent report.

The research revealed insight into the state of secure DevOps and perceived barriers. While chief information officers (CIOs) and leaders understand early testing is key to cost control and risk reduction, few teams are practicing secure DevOps in a way that meaningfully reduces risks.

Why Secure Digital Transformation Matters

Fifty percent of IT decision-makers across industries are currently using application security testing elements during the DevOps process. While adoption varies by industry, the research found only a 12 percent margin between the highest and lowest adopters by industry. High-tech industries lead with 56 percent adoption, while retail was ranked last at 44 percent integration of app security testing in CI/CD workflows. Most commonly, organizations rely on software analysis scanning solutions, dynamic analysis methodologies and third-party penetration testing when secure DevOps is practiced in the enterprise.

Despite lagging adoption, survey respondents revealed a strong awareness of the benefits of secure DevOps. According to the report, the potential benefits of including application testing in CI/CD workflows include:

  • Improved software quality
  • Meeting compliance and regulatory requirements
  • Reduced risk
  • Speed to release processes

Secure DevOps Is Failing to Translate

While awareness is strong among CIOs and other decision-makers, the reasons organizations are failing to translate it into consistent practice are varied. According to the report, respondents cited barriers that can be mapped to technology, process and talent.

When asked what the most significant challenges are, responses included:

  • Lack of “automated, integrated” security testing tools
  • Inconsistent approaches
  • Security testing “slows things down”
  • False positive results from testing solutions
  • Developer resistance

Three out of the top five responses have roots that are at least partially based in education, culture or awareness. Inconsistency, resistance and a belief that secure DevOps bogs down workflows may indicate at least some need for education, new ways of working or other shifts in thinking.

Is Tech the Root of the Problem?

Due to the close relationship between people, processes and technology in a DevOps environment, it’s likely technological barriers are contributing to negative human perceptions and developer resistance. The report put it simply: “Not all security tools are equal, and the less software testing tools can be integrated and automated into enterprise workflows, the less effective they will be in securing CI/CD pipelines.”

As CIOs consider how to optimize the risk, compliance and agility potential of secure DevOps, overcoming challenges may require smarter technology that fits seamlessly into existing CI/CD workflows. When security and third-party security testing contributes to an organization’s goals of software quality and rapid releases, it may be easier to overcome lingering cultural barriers to secure DevOps.

Balancing Risks and Rewards

Meeting compliance requirements for security by design and default within DevOps workflows may not be the ultimate consideration for CIOs. The most mature enterprises demonstrate significant awareness of the role of IT security in the digital transformation process, according to a Ponemon Institute report titled “Bridging the Digital Transformation Divide,” sponsored by IBM.

According to the Ponemon study, the best-of-breed organizations meet criteria like achieving “full alignment between IT security and lines of business” and developing a defined secure digital transformation strategy.

While achieving enterprise-wide change is never simple, CIOs must balance risk and reward on the road to greater organizational agility. The report found that failing to address transformation risks can directly result in data breaches. Seventy-four percent of IT security practitioners say it’s “likely” their organization experienced a cybersecurity incident in the past 12 months due to a lack of security in digital transformation processes.

Read the complete Ponemon Report: Bridging the Digital Transformation Divide

How Mature Organizations Approach Secure Transformation

High-performing organizations demonstrated greater confidence about their security processes, which is directly influenced by the attitudes and actions of senior management, according to the Ponemon study. When asked about leadership’s role in digital transformation, IT security practitioners from the most mature organizations agreed or strongly agreed with the following statements:

  • Investment in emerging security technologies is key, including automation, artificial intelligence (AI) and machine learning
  • Digital transformation creates security risks, which must be managed
  • Adequate funding for IT security is crucial to digital transformation processes
  • Securing digital assets is connected to “trust with customers and consumers”

Not Just a DevOps Problem

There’s a significant risk for enterprises that fail to adopt secure practices in digital transformation, including a failure to bridge the gap between awareness and practice of secure DevOps. These risks can include challenges associated with costly application rework, slower releases, noncompliance, security breaches and loss of consumer trust.

While many CIOs perceive significant barriers to adopting secure CI/CD workflows in DevOps, these challenges may be solved by smarter tools and third-party partnerships. Application testing solutions that increase efficiency and decrease false positives are likely to enable enterprises to unlock the benefits of secure CI/CD workflows while reducing human resistance.

However, the Ponemon study found that the solution to the secure DevOps crisis isn’t just technology. The gap between awareness and adoption may demonstrate insecure digital transformation and a need for leadership to support steps toward enterprise-wide maturity. By understanding that transformation creates risks, leaders can invest wisely in the right emerging technologies to secure digital assets and customer trust.

Read the complete Ponemon Report: Bridging the Digital Transformation Divide

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today