At its core, DevSecOps involves “integrating security practices within DevOps”. According to the analysts at Gartner, we will see a rapid increase from 15% of development teams in 2017 using DevSecOps to 80% by 2021. Meanwhile analysts at Forrester found that one of the top priorities for security and risk professionals for 2019 is moving from DevOps to DevSecOps.
What is driving this rapid adoption? I believe the cybersecurity challenges thrown up by organizations’ digital transformations and the move to a fast-moving digital world are the key factors. In this world, cybersecurity challenges are very real and becoming harder to manage- barely a day goes by without us reading about another organization that has suffered an attack.
Unfortunately all of this has all of a sudden become very personal as some of my personal information was caught up in a couple of the major data breaches of these last years and I have had to struggle with the implications of having your personal data stolen.
Modern software products are not created in isolation
One of the core challenges for many organizations in today’s digital world, is that to create these new powerful customer experiences, it’s simply not possible to do so in isolation. Third party integrations are often what distinguishes your product or service from the competition – whether that’s integrating real-time weather data or processing payments.
Almost every modern application will include some third-party or open source software – and when developers use such third party libraries, they can easily introduce vulnerabilities. The speed at which organizations want to release software, particularly with DevOps, means you need the right processes and tools in place. It’s here that DevSecOps provides tremendous value to organizations – because it embeds privacy, security, and compliance practices into your DevOps, thus enabling you to continue to operate at speed, but with enhanced cybersecurity.
Reviewing this trend in the context of a specific industry – looking at banking, we’re seeing a fascinating dynamic where traditional banks and modern fintechs increasingly partner with each other.
But as traditional banks open up their technology environments to create new products, and simultaneously aim to create new products faster like fintechs, then they face new security threats. DevSecOps can provide the processes and tools, to enable banks to lower their risk when opening up their technology environments to create these modern applications.
DevSecOps builds security into development processes, enabling organizations to release software at speed
Put simply, the digital world moves fast – and this means enterprises struggle to keep up with ever changing customer demands. This puts cybersecurity teams under pressure to keep up, particularly with high velocity development teams.
DevSecOps is highly attractive in these circumstances because it builds security best practices into the core of the software product development lifecycle. And these are practices that can scale and that you can automate. It involves integrating security practices into every area of software development, from your infrastructure, continuous integration and continuous delivery pipelines, applications, to your network ́s borders.
DevSecOps and Agile development
Cybersecurity practices for too long have been left to one side, as security practices failed to adjust to new ways of working, in particular in light of the shifts from Waterfall to Agile development approaches. The combination of Agile and DevOps is incredibly powerful – putting as it were your software development efforts “on steroids”.
The challenge however, is that many security tools and processes have not kept up with this pace of change, and are not ideal for fast moving technology teams. But with DevSecOps, organizations can “automate” security throughout the development process, from the design of the application through to production. The reason that I used quotes is that in this context automation does not mean that things will just run on their own, there still needs to be a very significant human effort on an ongoing basis as no single tool or even suite can solve all security concerns. However, they can certainly help automate many of the tasks, so that more brain-power can be devoted to where humans can make the biggest difference.
Getting started with DevSecOps is more complex than what I can outline here, but based on our experience, I suggest the following key actions:
- Start with security practices as early as possible in the software development lifecycle. From the very start, whether when considering the design of your application or evaluating the underlying architecture, make sure security considerations are top of mind. Bring in threat modeling and risk assessments as soon as possible.
- Invest in cybersecurity software for your DevSecOps pipelines. There are more and more cybersecurity tools available – security as code and compliance as code are a couple of examples. Compliance as code involves, quite simply, codifying your compliance requirements, which can then be automatically deployed. This can help you immediately understand your exposure to risk.
- Help developers become aware of how to code securely and need to understand security best practices. Applications must adhere to best practices of information security including data integrity, availability, and confidentiality. Focus on security education and training, and also best practices on how to work with security and risk professionals who will have more security expertise than individual developers. Use examples of hacks that have taken place in the news to emphasize the importance of security – or as I mentioned at the beginning of the article, making it personal if you have suffered an attack.
A final note- remember that DevSecOps represents an evolution from existing DevOps practices. Ultimately it should help increase quality while lowering product and organizational risk. There’s no point being the first to market with an impressive new software product, only to find it has major security flaws.