A recent survey, sponsored by CloudPassage, has revealed the security challenges companies face on the path to adopting continuous development methods such as DevOps.

Some 102 information security professionals at a US industry conference were surveyed to understand how organisations are using the cloud, the dynamics between security and DevOps, and associated challenges and perceived benefits for integrating security and DevOps.

Key findings from the report

• 58% of respondents said their company brings security into the design stage of a product lifecycle.
• But only 50% of respondents believe that security is capable of moving as fast as new release cycles.
• 65% cited a lack of resources (i.e. talent and budget) and siloed departments as the biggest barriers to getting seurity into release cycles earlier.
• 64% said they have a mixed or hybrid cloud deployment; only 8% reported not having cloud infrastructure.

“For organisations to stay competitive today, they need a faster way to continuously innovate and release new products and services. As such, continuous development methods such as DevOps are becoming commonplace among the most innovative, successful companies,” said Sami Laine, Chief Technologist at CloudPassage.

“However, with these methods, security often gets left out or drags behind. Our survey results demonstrate that organisations must find a way to integrate security with DevOps if they want to realise the benefits of continuous delivery and stay safe at the same time,” Laine added.

Companies lack infrastructure to support continuous innovation

Two-thirds (65%) of security professionals cited both lack of resources (i.e. talent and budget) and siloed departments as the biggest barriers to getting security earlier into release cycles. Lack of resources was reported as the main barrier by 34% of the respondents. Fewer respondents, 18%, said security would slow down the release cycle. Eight% said they believe “DevOps derails security.”

Security is moving toward continuous software delivery

When asked the stage at which security is brought into software or product development release cycles, more than half of respondents (58%) said security is introduced during phase one, the concept and design phase. A quarter of respondents (22%) said security is brought in during phase two, the coding and implementation phase.

Mixed emotions on security moving as fast as releases

While more than half of respondents (58%) said security is brought into the development lifecycle early, over half of respondents (51%) disagreed and or did not know if security is capable of moving as fast as product or service release cycles.

Benefits of integrating security and DevOps span the business

One-third (33%) of security professionals said the biggest business benefit for integrating security into DevOps methods is better security, faster. Twenty-five% of respondents said they believe the biggest benefit is new applications without delays caused by security. Twenty-four% said the driver is improved relationships between DevOps and security teams.

Most businesses have mixed cloud environments

Nearly two-thirds (64%) of IT security professionals characterised their organisation’s cloud deployment as being “mixed or hybrid.” Alternatively, 16% of respondents described their cloud deployment as private, 13% said they operate in the public cloud, and just 8% of respondents said they do not have any cloud infrastructure.

Edited from press release by Cecilia Rehn.