Seventy percent of DevOps professionals believe that formal education did not give them the training to be successful in today’s ‘DevSecOps’ world. This is according to a report carried out by DevOps.com and sponsored by application security company Vercode.
As the DevOps movement – a software development delivery process – gains ground, an understanding of the necessary security principles (DevSecOps) is crucial, yet clearly not well attended to. Nearly 40 percent of organizations surveyed said that the hardest employees to find are all-purpose DevOps gurus with sufficient knowledge about security testing. On the other end of the spectrum, seven in ten developers complained that their organizations do not provide them with enough training in application security for them to do their jobs well.
Lack of applied teaching
DevOps.com surveyed 400 DevOps professionals from around the world, and despite the fact that the majority of respondents held a bachelor’s or master’s degree, most in computer science or IT-specific programs, their responses indicate an overwhelming lack of cybersecurity knowledge prior to workforce entry.
“If you’ve been clinging to the hope that you can sidestep the issue by hiring fresh-from-college recruits schooled in modern DevSecOps curriculums, abandon it, fast,” the report stated. “A shocking three-quarters of college-educated respondents to our survey said they were never required to complete a single course focused on security during higher education.”
The site also interviewed many experts in the security community at the academic, practitioner and vendor levels for the report. The opinion of the academic experts interviewed was that today’s typical computer-science programs still do not tune themselves to the security needs of a fast-paced IT organization.
Proof of this, according to the report, is that many universities are offering a dedicated computing security program, which is an ineffective maneuver separating those who will become developers in an organization from the people who are going to be doing security.
“Both computing security professionals and software development professionals need to be responsible for security,” the report stresses.
DevOps-oriented organizations that do not hire personnel with the necessary security skills, or don’t include training and education best practices into their transformation strategies, will likely face stalled or failed DevOps efforts. This is in addition to heightened risks to software infrastructure that could cause costly breaches and theft of intellectual property. But, as previously stated, developers feel they’re not given enough training to address this.
“Regardless of what the answers are to cure the deficiencies in collegiate curriculums, the fact of the matter is those are very long-term fixes,” the report stated. “It’s going to be up to the industry and individual organizations to take some immediate short- and medium-term steps to fill in the DevSecOps skills deficits that exist today,”
The report denotes three key steps organizations will need to take:
1. Invest time and money for continuous education
“Organizations that want to move fast and minimize risks need to train their staff accordingly, particularly developers who are being called on to enact appsec [application security]strategies at the ground level.
“If your organization struggles to justify sending developers away for extended training classes, one suggestion might be to stud the developer corps with a few highly trained appsec experts who can help train their colleagues on the job.”
2. Embed security in every training opportunity
The report asserts that security principles are difficult to get to stick within the engineering department because they’re rarely add-on skills that employees can learn in the space of a couple of days, adding that:
“Security classes are good, but meshing security principles within every education opportunity is even better.”
Stefano Zanero, Associate Professor, Politecnico di Milano told interviewers: “It needs to be embedded in the continuous professional development content.
“We are beginning to see professional societies that are starting to structure it that way. It’s about creating the mindset where application developers know that whenever they add a functionality, they are probably increasing the attack surface.”
3. Ensure applicability
Finally, whether training is for developers, operations or security personnel, it should be targeted and applicable to the specific role.
“If you’re taking the opportunity to train your broader engineering organization on security, you want it to be deeply applicable,” says Zane Lackey, Chief Security Officer, Signal Sciences in the report, “They’re not going to leave as complete security experts, but instead they should have a deep enough understanding that they can reach out to their development lead, DevOps manager or security engineers to ask the right questions when they need to.”