Integrating Security

into DevOps
Speeds Delivery and
Reduces Risks
WHITEPAPER
Sponsored content A new survey indicates that deploying DevSecOps methods
and automated testing tools can help organizations counter
cyber threats that exploit faulty code and unpatched
systems.

The DevOps movement and model, in which software developers work more
collaboratively with their organization’s operational teams, has become a mainstream
practice in recent years. Thanks to the DevOps approach, the applications produced
nowadays are much more likely than in the past to address key corporate requirements
and objectives. DevOps has also helped organizations become more responsive to
employee and customer needs by delivering software faster.

Unfortunately, information and application security has often been an afterthought in

the software development process. With cyberattacks escalating dramatically, the risks
and consequences associated with flawed code and faulty infrastructure configurations
have grown severe. This new reality has sparked intense interest in adding security and
compliance testing throughout the software development lifecycle (SDLC).

This an enhanced and extended approach to the SDLC—known as DevSecOps—has

IN THIS PAPER: already been embraced by many organizations, at least conceptually. In practice, some
companies are merely adding a bit more security testing into the process, rather than fully
ADOPTERS are integrating security teams and practices from the initial application planning through to
organizations that the deployment and operational stages. More fundamentally, some companies continue to
have either instituted harbor strong doubts about the DevSecOps model, believing that inserting security and
DevSecOps practices, compliance testing into the SDLC process will slow software delivery, increase costs, and
deployed automated introduce other burdens.
security testing tools,
or both.

NON-ADOPTERS The Rise of DevSecOps and

are organizations
that have not Automated Testing
implemented
DevSecOps or With crippling cyberattacks causing widespread operational, economic, and reputational
deployed automated harm, “building security from the ground up” has become a common refrain within
security testing tools. software development circles. Delivering on this objective, however, has been a hit-or-miss
proposition for many organizations, despite the fact that most cyber breaches have been
shown to come from known threats and vulnerabilities.

To be effective, security defenses must be designed, applied, tested, and validated at

multiple levels. The process starts with the code that makes up each application, and
ultimately extends to infrastructure configurations, application interdependencies, and the
security policies that companies institute.

2 © 2022 Progress. All Rights Reserved.

 Ideally, DevSecOps encompasses processes and tools that integrate security and
compliance considerations and/or testing across all eight stages of the SDLC. Those
stages:
• Plan
• Release
• Code
• Deploy
• Build
• Operate
• Test
• Monitor

One challenge in adding security and compliance elements to all these stages is that
operational, development, security, and compliance professionals have their own
language and corporate culture. Fortunately, the software code itself, along with codified
infrastructure configurations, can serve as a common source of truth shared and
understood by all the participants who play a role in the SDLC.

Furthermore, automated tools can greatly aid the DevSecOps process. For example,
some tools can test code for known vulnerabilities, exploits, and misconfigurations—and
automatically remediate any identified flaws.

Automated tools can also leverage metadata to “understand” compliance requirements

and ensure those requirements are being met throughout the SDLC. By leveraging
metadata, the tools can validate system security while also providing data that both
informs and speeds time-consuming security audits.

Eight Stages of the Software Development Lifecycle

1 2 3 4 5 6 7 8

Plan Code Build Test Release Deploy Operate Monitor

3 © 2022 Progress. All Rights Reserved.

 Indeed, the IDG survey identified important differences between organizations (“adopters”)
that have embraced DevSecOps and/or automated testing and their non-adopter peers. On
many levels, adopters do a better job than nonadopters when it comes to adding security and
compliance elements across the SDLC, and in realizing a variety of subsequent security and
operational benefits.

Evaluating Security and Compliance

Throughout the SDLC
One key takeaway from the IDG survey: most organizations are already assessing
security and compliance at many stages of the SDLC. Still, those who have adopted
DevSecOps methods and/or automated testing tools as part of their initiatives perform
such assessments more often and at more stages than others. Thought of another way,
the adopters are doing a better job of ensuring “continuous compliance” throughout the
process.

As shown in Figure 1, fully three-quarters of adopter organizations assess for security and
compliance at the planning, testing, and deployment stages of the SDLC—significantly
more than their non-adopter peers. And, at least half of the adopters perform such
assessments at all the other stages, save for the coding phase.

Figure 2. Benefits of integrating DevSecOps into the SDLC

Adopters assess for security and compliance Plan 75%

56%
more than non-adopters in most stages of
SDLC... 44%
Code 33%
Adopted
Build 58%
Non-adopted 56%

Test 75%
67%

Release 50%
47%

Deploy 76%
... while non-adopters outpace adopter 67%
assessment in only two stages.
Operate 64%
Non-adopted 58%

Adopted Monitor 56%

53%

4 © 2022 Progress. All Rights Reserved.

By comparison, non-adopters lag behind adopters in their security and compliance
assessments at all but the last two stages of the SDLC—operate and monitor. The
overrepresentation of non-adopters at these last stages suggests they are backloading
the assessment process in an attempt to rectify flaws not caught and corrected during the
earlier stages.

As they work to improve their application and information security, all organizations must
understand that producing 100% secure code 100% of the time is an unattainable ideal.

Indeed, both the adopter and non-adopter respondents surveyed by IDG admitted their
organizations had released applications with security flaws in the past year, with 2-3 flawed
applications released on average.

Knowing that they will inevitably release flawed software, companies should feel even more
incentive to adopt DevSecOps practices and tools. Why? Because DevSecOps organizations are
in a position to identify and rectify flaws faster, and ultimately can release more software to their
customers than can their non-adopter peers.

Benefits from Continuous Security

and Compliance Assessments
Beyond struggling to generate and deploy secure software, adopters and non-adopters
shared another trait: both groups recognized that involving their security teams in the
SDLC could result in the production of higher-quality code. Large majorities—86% of
adopters and 81% of non-adopters—said security team involvement makes code better.

A significant split occurred between adopters and nonadopters, however, in their

assessments of the impact of security team involvement on the pace of software delivery.
The disparity in perspectives indicates that adopters of DevSecOps and automated testing
best practices are better able to efficiently leverage their security teams’ expertise.

Among adopters, nearly half (47%) said that security team involvement actually
speeds the pace of development. Another 39% said that such involvement has no
negative impact on development time. “All teams work in tandem, so the timelines are
squeezed,” explained the director of a midsize technology company. Another adopter—the
CIO of an education solutions company—said, “Recognizing errors and finding solutions
makes distribution fast.”

5 © 2022 Progress. All Rights Reserved.

By contrast, 42% of the non-adopters say security team involvement slows the pace of
development. “There is ongoing intervention by the security team, therefore we factor in
delays,” said one survey respondent, a director of a midsize financial services company.

Along with a better ability to capitalize effectively on the involvement of their security
teams, adopter organizations are more likely than non-adopters to see a number of
additional benefits by integrating DevSecOps practices into their SDLCs. The most
significant of the benefits was an improved efficiency in technology audits, which
encompass not just software code but also infrastructure configurations and the operation
of in-production applications.

Among the IDG survey respondents, the average security audit took two months, with
one-third of the survey respondents saying such audits take 3-6 months. Clearly, speeding
this process can produce big dividends, by generating faster results and giving auditors
time back to perform more strategic tasks.

Beyond accelerating audits, nearly half or more of adopters saw four other key benefits, as
shown in Figure 2.

Figure 2. Benefits of integrating DevSecOps into the SDLC

Improved efficiency 71%

of adults

Greater agility 60%

Reduced risk of breach 60%

Faster product rollout 49%

Increased innovation 49%

Cost savings 43%

6 © 2022 Progress. All Rights Reserved.

 Continuous Compliance with Chef
Software Solutions
As one of the founders of the DevOps movement, Chef Software offers a portfolio of
solutions to automate infrastructure configuration, security, compliance, and application
delivery to bring continuous automation to the SDLC. Among its many industry
recognitions, the company won Computing magazine’s 2019 award for Best DevOps Cloud
Product as well as Cloud Computing magazine’s 2019 Cloud Computing Product of the
Year award.

Chef is now among the leading companies offering solutions to enable DevSecOps. Its
flagship offering, the Chef Enterprise Automation Stack, includes two key components,
Chef InSpec and Chef Infra. Combined, these offerings detect and correct for security and
compliance at different stages of the SDLC. They automate configurations and ensure that
infrastructure remains consistent, compliant, and secure throughout its lifetime, even in
complex, heterogeneous, and large-scale environments.

With its offerings, Chef allows organizations to define “everything as code”—compliance

policies, infrastructure, and application dependencies—providing a common DevSecOps
language that can be shared, scaled, and automated. Chef solutions include pre-built
content to enable compliance to industry standard security benchmarks such as CIS
(Center for Internet Security) and DISA STIGs and are customizable to any enterprise-level
compliance standards. Chef’s “everything as code” approach speeds software delivery,
improves adherence to security and compliance standards, and significantly reduces time
spent on audit and remediation activities.

For further information about how Chef Software’s solutions and services can help your
organization produce secure and compliant code and infrastructure, delivering on the full
promise of DevSecOps, go to www.chef.io/solutions/devsecops/.

Learn More
www.chef.io/solutions/devsecops

© 2022 Progress Software Corporation and/or its subsidiaries or affiliates. /getchefdotcom learn.chef.io
All rights reserved. Rev 2022/02 | RITM0140982 /chef github.com/chef
/getchef twitch.tv/chefsoftware
/company/chef-software