Overcoming the Top 3 DevOps Security Challenges
March 05, 2020

Ramachandra Reddy Annadi
Qentelli

As the expansion of DevOps into DevSecOps shifts into higher gear in 2020, companies are struggling to balance the accelerated automated software development cycle with an integrated and thorough software security strategy.

The key in doing so is to take DevSecOps at face value and do what the technology demands — move the application and infrastructure security to the front of the software development line while maintaining a fast-paced DevOps workflow in the process. Ensuring that security provisioning, patching, hardening, and configuration is applied through code would save both time and money.

The data bears that sentiment out. A 2019 study from Puppet, CircleCI and Splunk, Inc. shows that software teams earning the highest DevSecOps security development grades are the ones who have accomplished two key tasks:

■ Automating teamwide security policies.

■ Having the ability to get the team going right out of the gate in the software development lifecycle, especially in deploying key planning and design initiatives.

Do that, the study says, and you've gone a long way in meeting the toughest DevOps security challenges. After all, a growing enterprise may loosen the strings when it comes to performance, upgrades or development in crisis, but never on security.

The reality, unfortunately, is that most C-level executives are unwilling to sacrifice speed for security. Data from Threat Stack shows 68% of business executives say their CEO doesn't allow DevOps teams to deploy any security measures that slow the company down. Compromising on security for a faster-time-to-market often damages the main cycle of trade at the time of catastrophe.

While the speed versus security is still one of the biggest DevOps security challenges in 2020, it certainly isn't the only one. The following three security challenges will likely keep DevOps strategists up at night, with no clear resolution in sight if left unattended.

A disconnect between security and development

Symmetry is the holy grail of DevSecOps, but so far, the evidence shows that software security and software development don't always want to share the same sandbox.

The same Threat Stack study shows that 57% of businesses note their software development teams "push back" against system security best practices. Furthermore, 44% of software developers aren't trained to code securely. Until software and security get on the same page and collaborate on DevOps security and collaborate more efficiently, expect more pushback and less push forward on security issues.

The best path to progress?

Instill a collaborative team culture between software and security and have leaders of both teams spend time walking in the other team leader's shoes. Share information, swap stories and see how the other side lives on a day-to-day basis.

Once teams do this, they'll better understand the needs and realities of each team and can move forward together to find resolutions. This will benefit the overall security scene of development beyond just patching broken code and fixing bugs in real-time.

Not enough company stakeholders are security savvy

The idea with DevSecOps is to build teams that work in an integrated style, led by security-savvy team leaders. This, unfortunately, is not always the case as too many companies adopt silo approaches with team leaders and developers.

Both are kept at arm's length from the knowledge they need to build better DevSecOps solutions and are unable to fully comprehend what tools to use — and how to use them — to better safeguard company-wide software security.

The solution? Beef up company cybersecurity expertise with more robust hiring programs. Look for cybersecurity talent that has the management skills, knowledge and, most importantly, the desire to keep learning and share that knowledge with software team personnel.

With DevSecOps, knowledge really is power, and the more people motivated to gain and share that knowledge, the more robust your system security program becomes.

Compliance at risk

Yes, most software development team leaders want to accommodate key regulations like HIPAA, GDPR, and PCI/DSS. The risk of not doing so can lead to financial loss and company reputational hazard. Performing SOC audits at least once a year adds an added layer of integrity and trust to the clients and stakeholders. SOC audit need not be an external one all the time. An internal System and Organization Control reporting can not only reduce compliance costs and time spent but also proactively addresses risks across the organization and increases trust and transparency.

While there is an impetus to comply with data security mandates and regulations, that disconnect between DevOps (which prioritizes speedy turnaround times) and DevSecOps (which emphasizes the curbing of risk and meeting compliance goals) gets in the way of true compliance security practices.

One solution gaining steam is having the security teams automate compliance testing, which enables the process to move apace with automated data checks and still gain optimal results. Once the software development team sees that security is being efficient timewise and control outcomes are favorable, the easier it will be for teams to work together, emphasize agility, and produce consistent results — both on DevOps as well as DevSecOps side.

Finally, DevSecOps not only redefines the SDLC but also improves the quality and efficiency of the product through security. The leaders must enable their organizations to get over the above-mentioned challenges and work towards making security a part of business strategy.

Ramachandra Reddy Annadi is Technical Architect, Innovation, at Qentelli
Share this

Industry News

April 17, 2025

GitLab announced the general availability of GitLab Duo with Amazon Q.

April 17, 2025

Perforce Software and Liquibase announced a strategic partnership to enhance secure and compliant database change management for DevOps teams.

April 17, 2025

Spacelift announced the launch of Saturnhead AI — an enterprise-grade AI assistant that slashes DevOps troubleshooting time by transforming complex infrastructure logs into clear, actionable explanations.

April 16, 2025

CodeSecure and FOSSA announced a strategic partnership and native product integration that enables organizations to eliminate security blindspots associated with both third party and open source code.

April 16, 2025

Bauplan, a Python-first serverless data platform that transforms complex infrastructure processes into a few lines of code over data lakes, announced its launch with $7.5 million in seed funding.

April 15, 2025

Perforce Software announced the launch of the Kafka Service Bundle, a new offering that provides enterprises with managed open source Apache Kafka at a fraction of the cost of traditional managed providers.

April 14, 2025

LambdaTest announced the launch of the HyperExecute MCP Server, an enhancement to its AI-native test orchestration platform, HyperExecute.

April 14, 2025

Cloudflare announced Workers VPC and Workers VPC Private Link, new solutions that enable developers to build secure, global cross-cloud applications on Cloudflare Workers.

April 14, 2025

Nutrient announced a significant expansion of its cloud-based services, as well as a series of updates to its SDK products, aimed at enhancing the developer experience by allowing developers to build, scale, and innovate with less friction.

April 10, 2025

Check Point® Software Technologies Ltd.(link is external) announced that its Infinity Platform has been named the top-ranked AI-powered cyber security platform in the 2025 Miercom Assessment.

April 10, 2025

Orca Security announced the Orca Bitbucket App, a cloud-native seamless integration for scanning Bitbucket Repositories.

April 10, 2025

The Live API for Gemini models is now in Preview, enabling developers to start building and testing more robust, scalable applications with significantly higher rate limits.

April 09, 2025

Backslash Security(link is external) announced significant adoption of the Backslash App Graph, the industry’s first dynamic digital twin for application code.

April 09, 2025

SmartBear launched API Hub for Test, a new capability within the company’s API Hub, powered by Swagger.

April 09, 2025

Akamai Technologies introduced App & API Protector Hybrid.