Industry Trends

Key Findings from Fortinet’s 2019 State of DevOps Security Report

By Fortinet | July 24, 2019

Digital transformation involves redistributing data, computing and processes to reduce overhead, simplify operations and enhance productivity. One of the most impactful outcomes is that workflows, data access and analysis, and transactions are all being moved to web applications. DevOps went mainstream in 2017 with 84% of enterprises adopting DevOps principles, enabling customers to easily conduct transactions using their smart phones and other devices.

This enabled employees to use web applications to do things like conduct business, generate reports, and collaborate with other workers, resulting in increased productivity and the ability to respond more quickly to market demands. IoT devices use similar applications to share, collect, and correlate data to contribute to Big Data and bridge the gap between IT and OT networks.

The Challenge of DevOps

As web applications increasingly become the responsibility of the DevOps team, which uses special development strategies to build, assemble, update and maintain these applications. For the most part, these applications leverage cloud native services in order to accelerate their ability to develop these tools.

One of the most unexpected results of digital transformation is that online consumers tend to be much more fickle. They are willing to abandon brand loyalty in exchange for a faster, simpler, or slicker user interface. And internal users exhibit many of the same tendencies. So, to keep up with this new reality, DevOps teams are under constant pressure to adapt new technologies and maintain a competitive edge in a space driven by change.

Today, DevOps is impacting more strategic business initiatives in the company than ever. Web applications have evolved from an interesting business novelty to strategic tools supporting the mainline business. And because of this increasingly visible and important business function, 69% of DevOps team leaders now report directly to a member of the C-suite.

The Need for Speed and Security

Because DevOps applications have become essential to business success, proper security is critical for these tools. Exploiting the right web application can not only expose the personally identifiable information (PII) of a customer, but have a serious impact on critical business functions. According to Fortinet’s recent 2019 State of DevOps Security Report, 92% of organizations have seen at least one vulnerability slip into production in the past 12 months, with the typical organization experiencing 3 to 5 vulnerabilities in production in that time. And catching those vulnerabilities is equally challenging, as only 14% of organizations have enabled full visibility into their DevOps environment from their SOCs. As a result, 70% of organizations plan to roll DevOps security under their CISO in the next year.

However, there are some concerns that this commitment is little more than lip service. The reason is time to market. Speed is a critical component of DevOps efforts, and failure to provide applications and updates means falling behind, which in today’s digital marketplace can have devastating consequences.

 What DevOps professionals fear, and rightly so, is that traditional security solutions will inevitably slow down their projects. And as a result, according to a recent survey, 52% of companies admitted to scaling back security measures to meet a business deadline or objective. In fact, 68% say their CEOs demand that DevOps and security teams never slow down a business process. Unfortunately, the speed at which code needed to be published has likely played a role in a number of high-profile data breaches.

Combining Best Practices with Security Solutions

What DevOps teams need are security tools that reduce risk without impeding their work or requiring them to become security experts. They need to be able to stitch security tools and functions into an application where they are needed, but without the time and energy required to build and manage those tools from scratch. Instead, they need configuration and updates, lifecycle maintenance, and monitoring to be automated. And when not, those functions need to be performed by the security team.

However, security solutions alone are not enough. The analysis in the 2019 State of DevOps Security Report of those organizations that consistently manage to catch application vulnerabilities and avoid security breaches shows that they also practice a similar set of good security hygiene protocols. These best practices include:

  • Security audit tracking
  • Tracking and reporting on compliance with security standards
  • Tracking and reporting security compromises
  • Dependencies analysis
  • Scanning public cloud instances for misconfigurations
  • Vulnerability assessment and management scanning
  • Monitoring and managing code commits

Meeting DevOps Goals While Reducing Risk

The findings in our 2019 State of DevOps Security Report indicate that security solutions for a DevOps environment must be scalable, agile, and automated. Which also means that traditional approaches to network security simply do not have the agility to support a DevOps environment. Instead, network security must include integrated and automated solutions that can address the current threat landscape—in which cyber criminals are using advanced technologies such as artificial intelligence and swarm technology to create customized threats that move at machine speeds—while not impeding the speeds at which DevOps needs to operate.

This needs to be done by combining best practices with security solutions that simplify implementation, minimize false positives through machine learning, and automate threat response. Organizations that establish and adhere to such a holistic, fully integrated approach to security can reap the benefits of DevOps without increasing risk to themselves or their customers. 

Learn more about how Fortinet’s multi-cloud solutions provide the necessary visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.

Read these customer case studies to see how Cuebiq and Steelcase implement Fortinet’s multi-cloud services for secure connectivity and application security.