DevOps suffering security skills
21 August 2017
Software developers aren't receiving necessary training as DevOps becomes the prevalent approach to building and operating digital products and services.
In today’s application-centric economy that gap could have real impact on the productivity of businesses in every industry, as well as on the security and quality of the software that underpins the digital economy.
The 2017 DevSecOps Global Skills Survey, sponsored by Veracode and acquired by CA Technologies, and DevOps.com, found that while 65 percent of DevOps professionals believe it is very important to have knowledge of DevOps when entering IT, they’re not receiving the necessary training through formal education to be successful in today’s DevSecOps world (70 percent). DevSecOps refers to the practice of integrating security into the development and testing of software for a “shift left” mentality for faster, better quality outcomes.
The on-demand nature of today’s digital economy has driven the need to focus on innovation and improve the overall workflow of the modern enterprise. Implementing DevSecOps processes, in software development and deployment as a means of fuelling this effort, has highlighted the fact that today’s formal education for IT and development professionals has not evolved in the same way, or as quickly, as development has shifted. Those surveyed said that their IT workforce is only somewhat prepared (55 percent) or not prepared (nearly 30 percent) with the skills necessary to securely deliver software at the speed of DevOps. In fact, nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose DevOps gurus with sufficient knowledge about security testing. This poses a significant challenge, as more than 50 percent of organisations said that either the entire organisation or some of their teams are currently utilising DevOps practices.
DevSecOps adoption requires organisations to minimise the skills gap
Although nearly 80 percent of respondents have a bachelor or master’s degree – with 50 percent reporting that they studied and earned degrees in computer science – there is still a lack of cybersecurity knowledge prior to entering the workforce. The survey found that 70 percent of respondents said the security education they received is not adequate for what their current positions require, and that they’re learning their most relevant professional skills on the job (65 percent).
“With major industry breaches further highlighting the need to integrate security into the DevOps process, organisations need to ensure that adequate security training is embedded in their DNA,” said Alan Shimel, editor-in-chief, DevOps.com. “As formal education isn’t keeping up with the need for security, organisations need to fill the gap with increased support for education.”
According to the survey, slightly less than half of respondents said their employers paid for additional training since their entry into the workforce – and nearly seven in 10 developers report that their organisations provide them with inadequate security training. Third-party training, either in the classroom or through e-learning, was identified by one in three surveyed as the most effective way to gain new, relevant skills – but the study confirmed that very few are afforded the opportunity (four percent).
“WannaCry and Petya are just two recent examples of large-scale cyberattacks that further demonstrate the importance of security in today’s exceedingly digital world. Despite this apparent need, security practices and secure software development isn’t required to earn a degree in IT or computer science,” said Maria Loughlin, VP of Engineering, Veracode. “Our research with DevOps.com highlights the fact that there are no clear shortcuts to address the skills gap. Higher education and enterprises need to have a more mature expectation around what colleges should teach and where organisations need to supplement education given the ever-changing nature of programming languages and frameworks. The industry will have to come together to ensure the safety of the application economy.”
The study, commissioned by Veracode and conducted by DevOps.com, surveyed nearly 400 DevOps professionals globally. To read more about how DevSecOps builds a bridge between fast and secure software development, download Veracode’s Developer’s Guide to the DevSecOps Galaxy.
To view the infographic and access to the full research report, visit the Veracode blog.