Many organisations that are turning to DevOps are struggling with various security challenges along the way. In “The Ultimate Guide of Orchestrating Security and DevOps,” tracing those obstacles to a lingering “cultural conflict” between the developers and security teams. Security teams are struggling to keep up with the pace that DevOps teams are used to, for instance, while DevOps teams are culturally resistant to anything like security and testing that could potentially disrupt their work and slow down the development process. Together, these differences keep DevOps and security apart, a reality which costs more time and effort when vulnerabilities inevitably arise after a piece of software has already rolled out.
Uncovering Developers’ Lack of Security Training with DevOps
Organisations need to invest more in security if they are to make the most of their transition to DevOps. That’s where DevSecOps comes in. Here’s how Ampcus Cyber describes this new paradigm in its whitepaper:
DevSecOps is technology agnostic and organisations can use a combination of technologies, policies, and procedures to secure the DevOps pipeline. DevSecOps relies on collaboration between departments, who share the responsibility for establishing and enforcing security practices at every step of the SDLC. Development teams should ensure that their products are reliable, data is protected, and they must comply with regulatory and governance protocols.
That being said, security doesn’t necessarily come naturally to developers. Take the templates used by developers and DevOps teams to configure their cloud infrastructure, for example. As reported by DevOps.com, a research team found that more than 199,000 of those templates in use on the public cloud suffer from medium to high vulnerabilities. Those security gaps appear to reflect the rate at which developers are attempting to deploy applications to the public cloud, the researchers found. They all uphold the three-step DevOps process—design, code and deploy—but they don’t all scan for potential vulnerability issues.
On the Need for Developer Security Training
In response, organisations need to focus on offering security training to their developers. Those that choose to do so will effectively set themselves apart from most organisations in the process. Indeed, an ESG survey report found that just 20% of organisations offer security training to new developers who join the company, while about a third (35%) of respondents said that less than half of their developers participate in any formal training at all.
Organisations that did admit to training all of their developers generally didn’t emphasise the importance of those programmes, either. Why else would fewer than half of respondents reveal that they require their developers to participate in formal security training more than once a year?
Organisations are making a big mistake in not taking the security training of their developers more seriously. Quoting from our Whitepaper:
Developer security training is foundational to all the security tracks highlighted in this procedure. Without this training, together with experience and a security mindset, it will not be possible to do threat modeling, write accurate security user requirements, or evaluate Static Application Security (SAST) or Dynamic Application Security (DAST) Testing results.
All of this raises the question: how can organisations go about to properly train their developers?
First, they need to remember where their developers are coming from. Security Boulevard clarifies that developers don’t naturally focus on security because they’re “builders” and not “breakers.” Their job is to focus on creating functional features, not trying to figure out what could go wrong. As a result, organisations can’t presume that developers will naturally think like security experts. They need to provide their developers with structured training that walks them through the security concepts that they need to know.
Second, they need to offer training that doesn’t waste developers’ time. Security Boulevard explains in another blog post that the training should consist of courses with demos and practical examples that all directly relate to the technology and platforms that developers are using. To make the most out of that training, organisations can offer micro-modules to their developers via an online education portal. This type of format emphasises targeted learning, continuous recall and personalised bursts of education whenever time permits. Organisations can also encourage their developers to make time for training by creating an incentive structure for the number of courses or series of courses that they complete as part of the security training programmeme.
What Can Be Done
Creating a security training programme that accomplishes all of the above might be difficult for organisations to do on their own—especially if they’ve never offered this type of training before. Fortunately, they can remedy that fact by working with a managed services provider. The provider uses its end-to-end DevSecOps Consulting Services and Solutions to assess the strength of organisations’ existing DevOps and security maturity levels, training and tools. Next, it creates solution frameworks before formulating and executing a tailored plan through which it implements and supports new DevSecOps initiatives that incorporate security into build automation, environment management and other areas of the business, all while adopting supportive processes, technologies, training and governance measures.
Security might not come naturally to developers. But with the right managed services provider guiding them, organisations can offer the training that their developers need in order to make DevSecOps into an efficient reality.