Once again this year, I was fortunate to be a contributor to Puppet’s State of DevOps Report. Working on this report is always enlightening, and I’ve used this research over the last 8 years to learn about the state of the industry, what works in practice, and where organizations are stalling out and having issues.

This year’s theme was security, and integrating it into DevOps practices. We asked thousands of participants about the role security has played in their ability to deliver software. The participants fit a wide variety of demographics, including a significant sample of folks in the computer security space, whether on security teams, in security management, or other security roles.

The full report is now available to read, but I wanted to call out a few findings and patterns that caught my attention as we were building out the questions and performing data analysis.

First off, the progress of real teams shows that security and DevOps are not two entirely separate goals. In fact, the evolution of security posture mapped very cleanly onto the DevOps evolution model first created in the 2018 State of DevOps Report. Based on the security milestones extracted from the thousands of responses to build that model, it became clear that DevOps done right includes security, and that the reverse is true as well: by improving security posture in a meaningful way, teams can’t help but be more collaborative.

I was also pleased to see how much collaborative security practices influenced overall security posture and ease of flow through the software delivery process. According to the data, if your organization is spending time on collaborative efforts, such as threat modeling exercises, security personnel reviewing, or authoring tests with developers, you are also more likely to be more evolved in your practices, in turn bolstering your overall security posture.

These practices can’t be achieved overnight, however. While valuable, they take time to solidify and require trust between security experts and delivery teams. Teams often get started with integrating security into their SDLC practices with testing, and CircleCI can help with that. Tests in service of security can be things like static analysis, dependency checking and management, OWASP vulnerability management, and regression suites. You can perform all of those types of tests with your CircleCI workflows, and we even have orbs to be a catalyst that sparks your foray into continuous security practices.

One more key theme I observed was that being in the middle of an evolution with security is difficult. When you’re spending as little time and effort as possible on security, it feels pretty easy. When you’re really good at it and it’s fully integrated, it’s sophisticated, but smooth. In the middle stages, where you’ve identified improvements to make, found gaps, but haven’t yet created solutions or reworked process to accommodate security practices, there may be a lot of friction and even a feeling that things are getting worse. It’s a classic Dunning-Kruger effect, and it shows up with security evolution as well.

So, when making investments in security:

  1. Recognize progress over perfection. It’s often the simple things that have large impact.
  2. Once those are handled, move to collaborative work across security and delivery teams.
  3. Ultimately, security should be included in the way software moves through the system.

In the end, it should be more difficult to bypass security practice and flow than to continuously do the right thing. Security in your delivery system builds confidence and helps you move quickly, and that’s what everybody’s after.

I hope you enjoy the 2019 State of DevOps report full of security goodness brought to you by our friends at Puppet, Splunk, and all of us here at CircleCI.