Contrary to popular belief, DevOps software development model is not safeguarding the applications of organizations, because a large majority of developers are not conducting application security testing while writing code.
The vulnerability stems from a shortage of IT security professionals and lack of interaction between security professionals and DevOps teams, according to a study by U.S. technology firm Hewlett Packard Enterprise (HPE).
The report, titled Application Security and DevOps Report 2016, assures that DevOps methodology offers all the opportunity to improve application security. That’s because more than 90% of respondents in the survey vouched for the efficiency of DevOps in protecting applications.
In the survey, however, 20% of respondents said they are doing application security testing during development, while 17% said they are not using any technologies to protect their applications.
The problem is a ‘disconnect’ between developers and security professionals in organizations. The report says many developers do not seem be in touch with security professionals in the organizations for whom they are developing software, with some developers admitting that they have never met their security teams at all.
Even in job postings, many companies do not specify that software developers need to have security or secure coding experience. Lack of application security talent is another challenge companies are facing. For every 80 developers in the organizations surveyed, there is only one application security professional, the report added.
To get around this barrier, the report suggests that organizations should integrate security tools into the development ecosystem so they can allow developers to find and fix vulnerabilities in real-time as they write code.
“The expectation is that applications will be released with a level of security that meets the goals of the organization to ensure the protection of not only the software and customers but also the organization itself,” the report noted.
Add comment