29% of highest security integration orgs endure friction when collaborating
A watermark of traditional security activities within organizations is the high tension between security teams, the operations or IT, and the core R&D engineering. When all of these teams are siloed with their activities and overall goals unaligned, they create tension and friction that manifests in mis-executive security activities.
However, when security practices are integrated throughout the SDLC, then the overall confidence level of security practices levels up for the entire organization. Furthermore, the Puppet report shows that, when security activities take place very early in the SDLC, they are more impactful.
Deep and frictionless security integration benefits security posture and collaboration
More specifically, threat modeling was named as the security activity with the most significant impact on an organization’s overall security posture and confidence level. Threat modeling, aims to connect all the business stakeholders — security, development, and operations — and focus on answering some fundamental questions, for example, “what are we building?” and “what can go wrong?”. This kind of activity creates a collaborative environment and a platform for open discussion and communication between all Dev, Sec, and Ops parties.
We recently conducted a study on the adoption of DevOps and DevSecOps, and one of the key takeaways was that 29% of all organizations positioned at the highest level of security integration, still feel that security teams and delivery teams encounter a lot of friction when collaborating.
Some of the most influential practices in improving an organization’s security posture, according to Puppet are:
- Security tooling that is used within a continuous integration pipeline, aids engineers to stay confident in knowing that they don’t introduce known security problems into their codebases.
Such automated security tools often execute fast, providing a good developer experience with a fast feedback loop that allows developers to move swiftly in a non-blocking manner. Some of these tools also provide actionable remediation that is closely integrated within a developer’s workflow. In this case, developers are further empowered to take responsibility over the security of the application they develop.
- Infrastructure-related security policies are reviewed before deployment. Infrastructure as code has been an integral part of many DevOps tooling and it’s rapidly expanding with cloud native service provisioning and tools such as the Hashicorp’s Terraform. Another example of IaC is the use of text-based configuration to provision container orchestration software, for example Kubernetes.
However, a common security slip up is to accidentally provision an insecure configuration which has a significant impact to an organization. For example, in one particular case, insecure cloud storage configuration allowed improper access to non-authorized users, and resulted in several data leaks, as we highlighted earlier in this report.
That being said, 29% of all organizations positioned at the highest level of security integration, still feel that security teams and delivery teams encounter a lot of friction when collaborating. On the bright side, this is still a better situation compared to 47% of all organizations at the medium phase of security integration who share the same feeling. Notably, when security integration doesn’t exist, teams aren’t collaborating at all.
Another notable highlight from the Puppet report is that organizations which had a strong and deep security integration were able to prioritize security issues over generic feature delivery, and address them faster. This is a loud statement — when security is viewed as a shared responsibility across the organization, then minimizing security risk to the business takes precedence.
Continue reading our DevSecOps Insights 2020 study:
- DevSecOps Insights 2020
- 86% of security and tech roles agree that security is a shared responsibility
- 31% don’t track application dependencies and 38% only track direct dependencies
- 29% of highest security integration orgs endure friction when collaborating
- 48% see security a major constraint on the ability to deliver software quickly