EXCLUSIVE INTERVIEWDevSecOps: Solving the Add-On Software Security Dilemma

EXCLUSIVE INTERVIEWDevSecOps: Solving the Add-On Software Security Dilemma

The lack of standard practices in the DevOps communities is causing growing friction as security teams line up against developers. This internal friction leaves software they develop and organizations that use the apps vulnerable to attacks and breaches.

A report released Sept. 30 by open source security and license management company WhiteSource explores various factors contributing to the siloed software development culture and what steps are needed to achieve agile, mature, DevSecOps practices -- which involves integrating IT security as a shared function among all DevOps teams.

The report shows feelings of increased pressure among software development teams to overlook security features to meet short development lifecycles.

That finding is especially significant in light of revelations that more than half of all developers polled in the report said they have either no secure coding training or only an annual event. Add to this lack of security training among software coders the finding that fewer than one-third of organizations have a defined, agreed-upon vulnerability prioritization process.

Perhaps an even more alarming dilemma is that on average just half of the organizations have an AppSec champion on their teams. More evidence of the security divide between teams is that even when security professionals say there is one, developers do not always agree, according to the report entitled "WhiteSource DevSecOps Insights, Security vs. Developers: The DevSecOps Showdown."

"If developers feel they are neglecting security to stay on schedule, something in the DevSecOps process is broken," warn the report writers.

WhiteSource surveyed over 560 application security professionals and software developers. Those results show that while most security professionals and developers believe that their organizations are in the process of adopting DevSecOps, most organizations still have a way to go, according to Rami Sass, CEO and co-founder of WhiteSource. The distance yet traveled is especially significant when it comes to breaking down the silos separating development at security teams, he noted.

"Full DevSecOps maturity requires organizations to implement DevSecOps across the board. Processes, tools, and culture need to evolve in order to break down the traditional silos and ensure that all teams share ownership of both security and agility," Sass said.

The WhiteSource report took aim at gaining a better understanding of the level of DevSecOps maturity inside organizations. Much of the results indicate that the DevSecOps process is till immature and insecure.

The report found that in order to meet short deployment cycles, 73 percent of security professionals and developers feel forced to compromise on security. In addition, companies purchased AppSec tools to 'check the box', disregarding developers' needs and processes. This practice results in tools being purchased but not used.

A significant "AppSec knowledge and skills gaps" challenge exists in many organizations teams. The report found that organizations largely neglect this knowledge gap.

Security professionals' top challenge is prioritization, at least in theory. But in practice, organizations lack the standardized processes to streamline vulnerability prioritization, according to the report.

TechNewsWorld discussed with David Habusha, vice president of product at WhiteSource, the state of DevSecOps in light of the report.

TechNewsWorld: How is siloed culture different from other software cultures?

David Habusha: The siloed approach is a legacy leftover from the waterfall methodology. In siloed culture critical elements in the software development lifecycle, like security, are treated as a specialized field, placed under the responsibility of a dedicated team and addressed in one specific phase in development. When it came to security, that was dealt with towards the end of the software development lifecycle.

The term "waterfall methodology" is often applied to the software development process. It follows a linear project management approach in which stakeholder and customer requirements are gathered at the beginning of the project. Then the development team applies a sequential project plan to accommodate those requirements.

Most organizations today understand that security needs to be dealt with throughout the DevOps pipeline, starting from the earliest stages of development. In order to do this, the silos need to be broken down and responsibility for application security needs to be shared across teams. That way, security issues are not addressed only in late stages of development, when they are more costly to fix and often delay the release.

TNW: What factors contribute to a siloed culture?

Habusha: Siloed culture is a persistent inherited legacy approach. While most organizations understand that the walls between development and security need to be broken down, many are struggling to put that understanding into practice.

There are many factors contributing to organizations' difficulty to completely abandon siloed culture. In order for organizations to successfully shift security left and help development teams share ownership over security, they need to address organizational culture, update their processes, and implement automated tools.

Currently, developers still lack the AppSec knowledge and skills that they need in order to address security. They also need security tools that integrate into their development processes and environments, so that they can easily detect, prioritize, and fix security issues without slowing down development.

Lack of communication between teams is also a huge barrier to security and development teams working together, sharing responsibility and ownership over application security throughout the DevOps pipeline.

TNW: What steps are needed to achieve agile, mature DevSecOps practices?

Habusha: There is no magic switch to achieving DevSecOps maturity. It requires a lot of changes and adjustments to the traditional approaches to the software development lifecycle. This includes updating our attitudes, skill sets, processes, the tools we use, the way we communicate, the structure of our teams, and more. DevSecOps maturity is a marathon, not a race.

One of the main steps that help achieve DevSecOps maturity is to bridge the application security knowledge gap by providing developers with continuous AppSec training, including secure coding. This is a great way to address AppSec right from the start, by teaching developers how to avoid application security issues from the earliest stages of coding.

Placing AppSec champions in development teams is another smart and effective strategy for bridging the gap between the security and development teams. This boosts developers' AppSec knowledge and skills and opens lines of communication between teams.

A third important step is to integrate AppSec security tools throughout the DevOps pipeline. When choosing these tools, it is crucial that decision-makers purchase tools that integrate seamlessly into developers' environments and that will be easy for developers to adopt.

TNW: How does this create a sense of shared ownership among competing factors among teams?

Habusha: In order to cultivate a culture of shared ownership over security, it is important for organizations to create a comprehensive application security policy to be maintained among all teams. That helps all teams share a sense of responsibility for application security.

TNW: How is this impacting on DevOps development?

Habusha: When organizations invest in taking steps towards DevSecOps maturity, security is integrated into the DevOps pipeline from the earliest stages of development. That means that security and development teams work together to address security issues from the start.

Integrating security into DevOps development means providing developers with all of the support that they need to address application security tasks without slowing down development. That includes automated security tools that help developers address security throughout development, having a shared application security policy across teams, and enabling and encouraging open communication between security and development teams.

TNW: What are the most significant takeaway from the latest WhiteSource DevSecOps Insights Report?

Habusha: The most significant takeaway from our DevSecOps Insights Report are that while most organizations feel that they are in the process of achieving DevSecOps maturity, they still have a way to go. This is evident from the fact that most security professionals and developers -- 73 percent of the 560 plus AppSec professionals and developers that we surveyed, feel forced to compromise on security. When we look at the data from the report, it is easy to see the many barriers to DevSecOps adoption.

TNW: What role can specialized security tools play in overcoming friction on teams related to building in better security?

Habusha: We found that security professionals barely consider developer adoption when choosing AppSec tools. This explains another concerning reality that we discovered: many of the AppSec tools purchased are not used by developers. When DevSecOps tools are purchased just to "check the box" rather than encourage developer adoption, security cannot be successfully integrated throughout development.

TNW: Can DevOps automated tools coexist with more attention to reliable software security?

Habusha: The best automated DevOps automated tools offer security solutions so that teams can easily bake security into development, from the earliest stages of the DevOps pipeline. These are the new generation of DevSecOps tools.

DevSecOps tools can be seamlessly integrated into developer environments so that they can address security easily, throughout development. Today's DevSecOps tools can go much further than detecting vulnerabilities.

Rather than just presenting security and development teams with an overwhelming list of security vulnerabilities that they need to address, advanced DevSecOps tools integrate into the DevOps pipeline and offer developers and security prioritization technologies.

Automated prioritization helps teams avoid friction and ensures that they are addressing the most critical issues first so that they do not waste valuable time debating what to fix first, or addressing issues that do not impact their projects.

In addition to automated prioritization, advanced DevSecOps tools can also offer actionable remediation insights and automated version updates, further helping organizations ensure that security does not slow down development.

TNW: What other barriers do DevOps teams have to overcome?

Habusha: An additional barrier we found to DevSecOps was that most developers are not getting the AppSec training that they need, even though security professionals stated that one of the top challenges they are dealing with is lack of skilled AppSec personnel.

TNW: Why is it important for organizations to have a defined and agreed-upon vulnerability prioritization process?

Habusha: Vulnerabilities prioritization is a top challenge for security professionals. Most development and security teams still lack a standardized process. Teams often rely on ad-hoc practices or separate guidelines.

Lacking an agreed-upon process for vulnerabilities prioritization delays remediation of security vulnerabilities. It also causes further friction between security and development teams.

TNW: Why is software security still considered secondary to development speed?

Habusha: Most organizations understand the need to invest in application security. Unfortunately, many still believe that integrating security into the DevOps pipeline will slow down development.

That does not need to be the case. One of the main reasons for this misperception is the way security vulnerabilities were addressed per the waterfall methodology. Then, after development, the security team would come in, analyze and test the project, and get back to development with a long list of security issues that needed to be addressed before releasing the product.

This process of detecting security vulnerability late in the software development lifecycle was very costly and slowed down development. The DevSecOps approach offers a quicker, cheaper, more secure, and all-around more efficient way to address security throughout development while sticking to increasingly shorter release cycles.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

The last notes - Hi-tech

most read news


In the beginning, social media promised to connect us to existing friends, help us form new relationships, and as a result help make us find happier lives. Facebook, initially, was just a way for new

Startup information security firm Intrigue on Tuesday announced a US$2 million seed round led by LiveOak Venture Partners for a new attack service management platform that helps secure enterprise

The larger the Internet superhighway of information grows; the more users get run over by privacy abuses and stolen data. If only we could rebuild the Internet's infrastructure to make data's journey

GTC21, this year's Nvidia GPU Technology Conference, was terrific as always.The alleged focus was on AI and autonomous cars. But, as I watched presentation after presentation from folks out of the

DuckDuckGo has announced an add-on to the Chrome browser that blocks Google's new scheme to provide marketers with information for targeting advertising at Internet users.The scheme called FLoC --

Jonathan Cran, founder and CEO of Intrigue, a cybersecurity startup based in Austin, Texas, used his company's network security tools to compile a list of Fortune 500 companies still exposed to last

A set of flaws in a widely used network communication protocol that could affect millions of devices was revealed Monday by security researchers.The nine vulnerabilities discovered by Forescout

A powerful hardware-based threat detection technology is being integrated into a Microsoft enterprise security product to help protect businesses from cryptojacking malware.The move, which integrates

Apple introduced a new version of its iMac desktop and a powerful upgrade of its iPad Pro tablet at an online event Tuesday. Both new products are based on Apple's new M1 chip."The whole thing about

The notorious Emotet botnet software began uninstalling itself from some one million computers Sunday.According to SecurityWeek, the uninstall command was part of an update sent to the infected

Apple's strategy, which has worked well financially up until now, is called "vendor lock-in."This approach, pioneered by IBM until it almost put the company out of business in the 1990s, is incredibly

Some 400 million patients worldwide are affected by more than 7,000 rare diseases; yet treatments for rare genetic diseases remain an underserved area. More than 95 percent of rare diseases do not

A surge in online shopping sprung up over the past year due to the pandemic. The rapid adoption pushed the expected timeline for consumers to expand their online shopping forays. It also opened the

Kaspersky on April 26 released survey results revealing that almost one quarter (22 percent) of PCs still run the end-of-life OS Microsoft Windows 7, which stopped receiving mainstream support in

BlackBerry had its annual analyst event last week where its CEO John Chen explained something I thought was very provocative about the future the company anticipates.It has to do with far broader

The software industry fueled jobs and GDP growth in the United States in 2020, according to a report released Tuesday by an international software research organization.The report by Software.org: the