by Jessica Cowle
Engineers know that security is important, yet nearly half (48%) don’t have enough time to spend on security, according to a new report.
This is not good news for security postures. This data reveals that organizations are increasingly at risk of a security incident — due to lack of time, not education or expertise.
Report Highlights Need for Automated Security
Organizations with mature DevOps practices are more likely to automate security, which ultimately improves the organization’s security posture. Mature DevOps teams are 350% more likely to integrate automated security throughout the deployment process. They are 29% more likely to have an incident response plan and 37% more likely to have an open source governance policy.
This automation-focused approach to security, often called DevSecOps, is designed to “shift security left”. This means that Security becomes integrated with infrastructure provisioning and application design and testing, rather than as a last-minute add-on. Overall, mature DevOps teams favor automation over manual processes by 700%.
Compliance as Code
Compliance as Code involves building automated guardrails into DevOps processes to ensure that regulatory controls are maintained. Whether automating the installation of core logging, monitoring, and access control settings through infrastructure templates or enforcing encryption on object storage, Compliance as Code (or “continuous compliance” or “automated compliance”) is critical for DevOps teams that must maintain compliance with HIPAA, PCI, FFIEC, ISO 27001 or other common regulatory frameworks.
82% of companies with mature DevOps practices have an audit trail documenting who changes what and when they do it, while it is only practiced 59% in companies with no DevOps practice. These mature DevOps companies monitor and audit all environmental changes in the SDLC, versus companies with manual tracking processes that have less inherent traceability.
Mature DevOps practices were 23% more likely to keep an audit trail than companies without a DevOps practice and 29% more likely to have all application-level credentials encrypted. This helps prevent accidental exposure of credentials in public code repositories — a common (and painful) occurrence in modern development teams.
DevSecOps: More than a Buzzword in 2019
As more teams adopt DevOps practices, they have the opportunity to improve consistent enforcement of security controls through automated installation and upgrades of security tools, testing, patching, etc. In a cloud environment where these controls can be more easily automated, DevSecOps can become a reality.