GitLab Research Reveals DevOps and Cybersecurity Disconnects
Finger-pointing has long been the name of the game when it comes to cybersecurity failures. After all, who should be responsible when so-called bad code or bad practices are blamed for the latest incident?
A recent survey by DevOps lifecycle tool company GitLab reveals a significant disconnect between application developers and cybersecurity professionals—a disconnect that could only lead to more security woes and additional finger-pointing. GitLab surveyed more than 4,000 app development and cybersecurity professionals and brought some light to the complicated relationship between both.
For example, some 49% of the cybersecurity professionals surveyed claimed they struggle to get developers to make the remediation of vulnerabilities a priority. Sixty-eight percent of those same security professionals believe less than half of the developers they work with can identify security vulnerabilities before new code moves into the test cycle.
While cybersecurity professionals like to point the finger at the developer community, there are two sides to the survey. Almost 70% of the developers surveyed said that while they are expected to create secure code, they get little help or guidance from the cybersecurity experts with whom they work. Perhaps the fault lies with the lack of mechanisms to make cybersecurity a priority in many organizations. “We don’t have clear guidelines about security, so the different services present different levels of security,” noted one developer in the report.
developers and cybersecurity professionals may be at odds, the report
also revealed there is plenty of additional blame to go around. Case in
point is the revelation that many organizations don’t make cybersecurity
a priority. Some 44% of those surveyed reported they are not judged on
security vulnerabilities in their code. That creates an environment
where developers don’t have to consider cybersecurity issues when
With developers, cybersecurity professionals and even the companies they work for all at odds about the responsibilities of proper cybersecurity hygiene, one has to wonder how tomorrow’s vulnerabilities will be prevented.
“Our research tells us that while most developers are aware of the dangers that vulnerabilities present and want to dramatically improve their security capabilities, they often still lack organizational support for prioritizing secure code creation, increasing secure coding skills and implementing automated scanning and testing tooling to make that happen sooner rather than later,” said Colin Fletcher, GitLab’s manager of market research and customer insights.
Solving the blind spots around cybersecurity is going to take a different approach, one that further tears down the silos created around cybersecurity teams and development teams. There is a little bit of irony in that observation; after all, DevOps is all about tearing down silos and creating functional teams.
It’s also an irony not lost on those at GitLab. The company promotes solving the cybersecurity issues by adopting a good DevOps practice, where cybersecurity becomes an integral part of the DevOps process. According to GitLab, incorporating cybersecurity into DevOps will have the positive result of the combined team being three times more likely to discover security bugs before code is merged into operations.
The report offers some significant conclusions that support GitLab’s claims. For example, some of the security top findings include:
- Sec teams are three times more likely to discover bugs before code is merged with a good DevOps practice in place, and are 90% more likely to test between 91% and 100% of code than in an organization with early-stage DevOps.
- Nearly half of security pros surveyed (49%) said they struggle to get developers to make remediation of vulnerabilities a priority.
- Half of security professionals said bugs were most often found by them after code is merged in a test environment.
- Mostly remote teams are 23% more likely to have mature security practices than primarily office-based teams.
- Only 44% report security vulnerabilities are a performance metric for developers in their organizations.
GitLab also revealed there is another consideration, one of ownership. According to the report:
No part of software development raises more issues about ownership than the subject of security. The idea that everyone is responsible for security might be the ideal but it can also be part of the problem as everyone can easily turn into no one. Security professionals often complain about being on the outside, while developers and operations teams can resent being told how to prioritize their work. Our survey responses indicate developers are taking more responsibility for security, but of course a lot of work remains. In fact, only 20% of those surveyed rated their organization’s security efforts as good, while 36% said they were fair and 24% said they were poor.