According to the results of a recent survey, some enterprises are trying to catch up and increase security integration in their development cycle and cloud adoption plans. The report on the State of Modern Applications in the Enterprise shows that 78% of respondents listed integration of security into more IT projects and operations as a key priority, ranked third behind meeting business needs faster and delivering greater quality software more quickly.
The survey, administered in April by Hanover Research and commissioned by cloud soluttions provider Ahead, gathered responses from more than 300 IT decision makers at US-based companies with at least 1,000 employees. Requirements to be counted among respondents included having input on IT spending, focusing on application development, and working in IT, product management, or development.
Though the notion of DevSecOps continues to gain momentum, Ahead’s Tim Curless, chief architect, there can be a need to extend an olive branch on behalf of security within some organizations. There can be breakdowns in working with security, he says, in companies with some stakeholders reluctant to make security part of development plans. “They have this fear of involving them based on historical impediments and slowness that it causes,” Curless says.
Staffing for security also can be an issue with organizations, whether it means trying to train up current employees or recruiting such expertise. Curless says some organizations may have relatively small security teams and not see a way to embed them into other parts of operation.
These and other reasons have contributed to security being regarded as something of an impediment in the development cycle, says Steve Pydyn, Ahead’s solutions architect. “Security is often seen as a cost center or not worth its money until it’s a little bit too late.” In other words, the value of secrurity is often not felt until after an incident occurs that demonstrates why it is necessary. If handled carefully right, he says security can be a seamless element throughout the lifecycle.
Part of changing perspectives, Pydyn says, includes showing leadership within organizations that security is an important asset. The strategy should also ensure developers have time budgeted for security activities and make sure that they invest in programs that demonstrate this importance., he says. “A lot of times, security is seen as a speed bump instead of as a guardrail where security should exist to facilitate the business and not a separate process.”
With many organizations focused on continuous integration, Curless says security can become an afterthought during transformation as companies put an emphasis on tools and processes around static and dynamic analysis.
The route organizations choose to leverage the cloud can also affect short-term and long-term outcomes of their strategy. Curless says the lift and shift approach can be a way for organizations to say they are getting onboard with the cloud but that can overlook opportunities for different approaches, such as going cloud native. “Lift and shift can be costly and does not change the positions of applications and how they are used,” he says.
There are nuances to moving to the cloud that Pydyn says should not be ignored. “Businesses should stop looking at applications that are lifted and shifted into the cloud as the same applications,” he says. It is not an efficient economic model to run the same application in the cloud,” he says. Moving a monolithic legacy application to the cloud with little functional change ignores aspects such as microservice architectures and cloud-native platforms that can better take advantage of the medium. Another aspect to consider is visibility into the application stack, Pydyn says, because through lift and shift, legacy apps can become rather opaque. They still might get the job done, but it leaves certain potential unrealized that might have be beneficial. “If a legacy app gets broken down into components and they introduce security or audit stages in the development of the pillars within the application, it weaves security more deeply into it,” he says.
For more content on security and DevOps, follow up with these stories: