Delivering innovation doesn’t need to compete
head-to-head with safeguarding customer data. Learn why good security practices are imperative in an agile world.
This article was originally published on the Delphix website here October 3, 2019.
For many organizations, successfully integrating security into the software delivery lifecycle is still a huge obstacle.
Findings from the latest Puppet’s 2019 State of DevOps Report reveal only 22 percent of companies at the highest level of security integration have reached an advanced stage of DevOps maturity.
While there are myriad security practices and solutions in the market, why is it so hard to integrate security into software development? We walk through some of our top takeaways from this year’s report.
Innovation Versus Security is a False Duality
Feature delivery doesn’t need to be at odds with safeguarding customer data. While short-term gains can be achieved by prioritizing feature delivery speed over security, the long-term impact on the business can be quite damaging and immeasurable.
In non-production environments, security and compliance challenges are magnified as the number of data instances and internal users grow. In a world where companies are harnessing data and software to power their businesses, the vast majority of data breaches happen when data used for testing is copied out of production. That’s where a method like data masking can help protect data by obfuscating data into values that are anonymized but retain referential integrity to perform meaningful software testing and derive smarter insights.
Securing all software environments in both non-production and production systems can prevent anyone in the organization from accessing and exposing personal data in the first place.
To be on the forefront of today’s digital era, IT leaders must design security into their innovation workflow to safeguard sensitive data from external and internal threats.
Shifting Left is Not Enough
Good software development principles drive good security outcomes. Improving security isn’t just about moving practices to an earlier phase of the software lifecycle—it’s about adopting a new way of working that emphasizes cross-team collaboration and automation for easier and iterative implementation.
Adopting DevOps principles improves reliability, predictability, measurability, and observability in enterprise application deployments, which in turn, leads to more secure environments. While it’s not always easy to anticipate risk and threats, being able to adopt efficient and reliable security practices into the software development lifecycle can help companies recognize and react to threats more effectively.
Survey results also uncovered that eighty-two percent of firms with the highest level of security integrated into the software delivery life cycle said it significantly improved their security posture.
The benefits these firms garnered were threefold:
- Companies experienced higher deployment frequency, where 61 percent of organizations with complete security integration said they could deploy to production on demand at a significantly higher rate than firms at lower levels of integration.
- The time to remediate vulnerabilities decreased at higher levels of security integration
- Lastly, firms with deeper security integration were more equipped to halt a push to production to address a security issue.
As more and more organizations adopt agile development practices, they’re also recognizing the need for fast data delivery in their delivery pipeline. Global companies, like Belkin International, have turned to DataOps, a practice that focuses on the end-to-end delivery of data. Similar to DevOps, DataOps is centered around the strategic use of data, and in today’s world where every company is becoming a data company, data management is just as critical for businesses as software development.
Change is Never Easy
Integrating security into software delivery is hard and messy. Most people see security as a bottleneck that causes delays and frustration. The pressure to deploy a feature often leads to compromises that create risk for the business, and development teams may decide to release a product with an unresolved security issue, which opens up the code to vulnerabilities.
Fostering the culture of shared responsibility around security is critical. When organizations create harmony of high-trust environments, automation, and cross-functional collaboration between developers, testers, and operations, companies can mature in their DevOps journey and deliver applications that minimize exposure to risks.
Companies who are serious about improving their security need to adopt DevOps and better data management practices, like DataOps, to integrate security into every part of the software delivery lifecycle. In a world where a data breach can destroy a business, only the prepared and vigilant ones that embrace security in their operations will survive.