• United States




DevOps as an AppSec enabler

Aug 25, 20174 mins
Application SecurityDevopsTechnology Industry

DevOps is turning out to be more security-friendly than most pundits predicted.

astract code [Thinkstock]
Credit: Thinkstock

DevOps is turning out to be more security-friendly than most predicted. In the recent AppSec and DevOps Trends Report from ESG and Veracode, 45 percent of IT pros revealed that DevOps is actually bringing application security to the forefront and making it even easier to implement and manage. The report surveyed 400 IT, cybersecurity, and application developer professionals involved with application security initiatives about their perspective on AppSec’s role in a DevOps world. While conventional wisdom would say that security testing would have a hard time fitting into a fast-paced, frequent releasing DevOps environment, this isn’t always the case.

Importance of AppSec recognized

We have spent the past 10 years talking about the importance of application security, and it’s frequently been a tough sell. But as the headlines about breaches proliferate, and the role of applications in supporting businesses expands, the message finally seems to be getting through. Eighteen percent of participants in ESG’s research indicated that code testing and application security was the software development teams’ top priority, up seven percentage points from 2015. Likewise, a whopping 62 percent said that AppSec was very important, compared with 55 percent in 2015.

DevOps’ effect on application security

But is the shift to faster and more frequent development cycles going to hinder AppSec’s forward momentum? According to these survey results, and from our experiences in the field as well, DevOps is actually enabling application security adoption, rather than hindering its progress.

Overall, the survey respondents indicated that the shift toward DevOps is both streamlining the development process, and enabling the integration of security testing.

The respondents pointed to the following DevOps attributes that are making application security more streamlined and effective:

Earlier and automated testing: The DevOps model pushes security considerations “left” into earlier stages of the development cycle. Forty-three percent of the ESG survey respondents noted that correcting security defects in the development stage is more efficient than patching production systems. Developers and security teams also reported that DevOps’ focus on automation has improved development efficiency and code security.

Collaboration: In traditional development organizations, the security team and development team were operating in separate siloes that interacted infrequently, and often unpleasantly. This survey reveals that Agile and DevOps processes are encouraging developer and security teams to work together at different stages throughout the software development lifecycle, which engenders the ability to find and fix vulnerabilities earlier in the process. And this communication leads to developers having a better understanding of the security implications of their choices for architecture and implementation, and leads security professionals to have a better grasp of the limits of implementation. Fifty-eight percent of respondents indicated that AppDev and security collaborate to prioritize security defects based on likelihood of exploitation, and 45 percent said that the security team regularly participates in daily scrums and planning meetings.

What’s needed for AppSec to thrive in DevOps

While the survey reveals that developers and security teams are acknowledging and embracing the importance and benefits of AppSec, it also reveals that complexity, workflow integrations, and price are creating obstacles to greater adoption.

Teams are finding standalone tools insufficient in contemporary application environments, where development, testing, and production are highly automated. The highest levels of effectiveness and efficiency can be realized when tools are tightly integrated into the workflow, and their use becomes not only mandatory but automatic. Thus, 42 percent of respondents indicated that the ability to integrate into the software development lifecycle was their most important criterion when evaluating Static Application Security Testing (SAST) tools. Other considerations, almost equally important, are accuracy of test suites (40 percent), support for both client- and server-side code testing (36 percent), price (35 percent), and ease of use (34 percent).

In fact, the ability to integrate SAST (42 percent) or Dynamic Application Security Testing (DAST) (34 percent) into the AppDev and DevOps processes were the most important tool selection criteria.

DevOps brings security into the quality definition

With the right solutions and collaborative model, DevOps can be a great enabler of security. These survey results do indicate that, although there is work to be done and issues to resolve, DevOps is moving us toward security as simply another quality requirement.


Chris Wysopal is CTO at Veracode, which he co-founded in 2006. He oversees technology strategy and information security. Prior to Veracode, Chris was vice president of research and development at security consultancy @Stake, which was acquired by Symantec.

In the 1990s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified before the U.S. Congress on the subjects of government security and how vulnerabilities are discovered in software.

Chris holds a bachelor of science degree in computer and systems engineering from Rensselaer Polytechnic Institute. He is the author of The Art of Software Security Testing.

The opinions expressed in this blog are those of Chris Wysopal and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.