At its core, DevSecOps involves “integrating security practices within DevOps”. According to the analysts at Gartner, we will see a rapid increase from 15% of development teams in 2017 using DevSecOps to 80% by 2021. Meanwhile analysts at Forrester found that one of the top priorities for security and risk professionals for 2019 is moving from DevOps to DevSecOps.
What is driving this rapid adoption? I believe the cybersecurity challenges thrown up by organizations’ digital transformations and the move to a fast-moving digital world are the key factors. In this world, cybersecurity challenges are very real and becoming harder to manage- barely a day goes by without us reading about another organization that has suffered an attack.
Unfortunately all of this has all of a sudden become very personal as some of my personal information was caught up in a couple of the major data breaches of these last years and I have had to struggle with the implications of having your personal data stolen.
One of the core challenges for many organizations in today’s digital world, is that to create these new powerful customer experiences, it’s simply not possible to do so in isolation. Third party integrations are often what distinguishes your product or service from the competition – whether that’s integrating real-time weather data or processing payments.
Almost every modern application will include some third-party or open source software – and when developers use such third party libraries, they can easily introduce vulnerabilities. The speed at which organizations want to release software, particularly with DevOps, means you need the right processes and tools in place. It’s here that DevSecOps provides tremendous value to organizations – because it embeds privacy, security, and compliance practices into your DevOps, thus enabling you to continue to operate at speed, but with enhanced cybersecurity.
Reviewing this trend in the context of a specific industry – looking at banking, we’re seeing a fascinating dynamic where traditional banks and modern fintechs increasingly partner with each other.
But as traditional banks open up their technology environments to create new products, and simultaneously aim to create new products faster like fintechs, then they face new security threats. DevSecOps can provide the processes and tools, to enable banks to lower their risk when opening up their technology environments to create these modern applications.
Put simply, the digital world moves fast – and this means enterprises struggle to keep up with ever changing customer demands. This puts cybersecurity teams under pressure to keep up, particularly with high velocity development teams.
DevSecOps is highly attractive in these circumstances because it builds security best practices into the core of the software product development lifecycle. And these are practices that can scale and that you can automate. It involves integrating security practices into every area of software development, from your infrastructure, continuous integration and continuous delivery pipelines, applications, to your network ́s borders.
Cybersecurity practices for too long have been left to one side, as security practices failed to adjust to new ways of working, in particular in light of the shifts from Waterfall to Agile development approaches. The combination of Agile and DevOps is incredibly powerful – putting as it were your software development efforts “on steroids”.
The challenge however, is that many security tools and processes have not kept up with this pace of change, and are not ideal for fast moving technology teams. But with DevSecOps, organizations can “automate” security throughout the development process, from the design of the application through to production. The reason that I used quotes is that in this context automation does not mean that things will just run on their own, there still needs to be a very significant human effort on an ongoing basis as no single tool or even suite can solve all security concerns. However, they can certainly help automate many of the tasks, so that more brain-power can be devoted to where humans can make the biggest difference.
Getting started with DevSecOps is more complex than what I can outline here, but based on our experience, I suggest the following key actions:
A final note- remember that DevSecOps represents an evolution from existing DevOps practices. Ultimately it should help increase quality while lowering product and organizational risk. There’s no point being the first to market with an impressive new software product, only to find it has major security flaws.
April 23 / 2020
As we gradually get used to our new COVID-19 reality, daily life from just a few weeks ago now feels like a lifetime away. For businesses this has created,...Read post