随着安全团队与开发人员的对抗,DevOps社区中缺乏标准的实践正在引起越来越大的摩擦。这种内部摩擦使他们开发的软件和使用该应用程序的组织容易受到攻击和破坏。 开源安全和许可证管理公司WhiteSource在9月30日发布的一份报告中探讨了导致孤立软件开发文化的各种因素,以及实现敏捷,成熟的DevSecOps实践需要采取哪些步骤-涉及将IT安全作为一项共享功能集成所有DevOps团队。 该报告表明,软件开发团队面临越来越大的压力,他们忽视了安全功能以满足较短的开发生命周期。 鉴于有消息显示该发现尤其重要,该报告中接受调查的所有开发人员中,有一半以上表示他们没有安全的编码培训或只有年度活动。除了缺乏软件编码人员的安全培训外,还发现少于三分之一的组织拥有已定义的,商定的漏洞优先级排序过程。
原文标题:DevSecOps: Solving the Add-On Software Security Dilemma
原文:The lack of standard practices in the DevOps communities is causing growing friction as security teams line up against developers. This internal friction leaves software they develop and organizations that use the apps vulnerable to attacks and breaches.A report released Sept. 30 by open source security and license management company WhiteSource explores various factors contributing to the siloed software development culture and what steps are needed to achieve agile, mature, DevSecOps practices -- which involves integrating IT security as a shared function among all DevOps teams.The report shows feelings of increased pressure among software development teams to overlook security features to meet short development lifecycles.That finding is especially significant in light of revelations that more than half of all developers polled in the report said they have either no secure coding training or only an annual event. Add to this lack of security training among software coders the finding that fewer than one-third of organizations have a defined, agreed-upon vulnerability prioritization process.
