DevSecOps Could be the Answer to Fixing Software Development Vulnerabilities
If implemented correctly, DevSecOps represents the best of both worlds: not only does it speed up security processes, but it can also make code more secure. In this article, we’ll look at what DevSecOps is, the benefits it can provide to your organization, and how to begin the transition to it.
Back when the concept was first introduced, many felt that DevOps was a meaningless buzzword. Nevertheless, the fundamental insight of the approach, in which IT operations and software development are integrated into a seamless whole, has now been applied by many organizations, at least to some extent.
At its core, the transition to DevOps has necessitated a cultural shift in the way that software firms work, in which the siloed nature of independent teams has been replaced by a more holistic, communicative approach.
Building on the success of this cultural shift, many are now looking to how the benefits of it can be taken further.
Some of these novel approaches focus on training junior colleagues in becoming a DevOps engineer. Others have sought to integrate business teams into IT and development processes and to make DevOps into BizDevOps. By far the most common approach, however, is to begin to bring cybersecurity teams into the DevOps process, and to transition to DevSecOps.
In this article, we’ll look at what DevSecOps is, the benefits it can provide to your organization, and how to begin the transition to it.
What is DevSecOps?
At one level, the development of DevOps can be seen as a response to the need to increase development speeds. A decade ago, IT operation teams hardly ever talked to developers, and as a result, the software was not developed with ongoing maintenance in mind. By integrating these teams, firms have been able to gather input from operations teams at the very beginning of development processes, and ensure that software need not go through repetitive and time-consuming feedback loops between both teams.
Most definitions of DevSecOps take this central idea and extend it to include another set of employees: the cybersecurity team. Despite the increasing integration of other teams within most organizations, cybersecurity teams are still generally siloed, with only infrequent communication with developers. This means that, prior to shipping software (or sometimes even after release), security teams must exhaustively check software for security flaws. This process takes an inordinate amount of time.
By integrating the security team with existing DevOps teams, it is hoped that security issues will be flagged at an early stage and that developers can move toward security by design model.
By engaging with security staff at an early stage, it is also hoped that often overlooked aspects of the security of software – in-transit encryption and web hosting, for instance – can be addressed at a design stage, rather than in a retro-active process of hardening.
Especially when it comes to your choice of web hosting for small business, the whole thing matters a lot more than you realize. It’s not just a platform to launch your eCommerce website, your hosting selection also affects website performance reliability and security.
The Benefits of DevSecOps
Beyond the speed at which software can be developed, there are many other benefits to DevSecOps.
One of the most important is the ability to integrate security monitoring into software at a more fundamental level than it is currently. The integration of cybersecurity and development teams will “naturally” lead to calls for security monitoring and assessment software to be built into software from the beginning of the development cycle, allowing even small businesses to measure their level of cybersecurity maturity.
Alongside this added transparency, a transition to DevSecOps also gives security staff a much deeper level of insight into the way in which software actually works, and the compromises involved in building it. One of the most unfortunate consequences of the lack of communication between security and operations teams over the past decade is that each team has developed their own way of looking at the world.
Cybersecurity engineers are adept at scanning for external threats, and will continuously argue for the need for strong encryption to be applied to every level of software. They are often less concerned, or less well informed about, the internal operation of software, or just how much performance will decrease if encryption is applied in this way.
Making the Transition
For companies who have already successfully implemented DevOps, transitioning to DevSecOps need not be difficult, or even particularly disruptive. Nevertheless, there are three critical principles to bear in mind during this transition.
The first is to respect the existing expertise of both DevOps and security teams. You should not attempt, in other words, to integrate one of these teams directly into the other, and merely delegate security to the operations team.
Secondly, and building on this point, recognize that training is often the most useful tool you have in achieving a successful transition. One of the most difficult aspects of the current IT skills gap is that many college courses focus on either security or development, and so graduates who focused on the former often don’t have even basic cybersecurity knowledge such as how to set up a VPN or how to choose a strong password. Equally, cybersecurity teams will need to be taught the basics of secure coding in order to contribute effectively.
Finally, don’t attempt to replicate the negative aspects of the “traditional” model of software development. The role of the security staff within a DevSecOps team is not only to perform the kind of threat intelligence that has historically characterized their jobs. Instead, they should be trained on the basic principles of continuous service delivery and continuous integration, and see their role as development consultants, rather than as the gatekeepers of software publication.
Building on Success
If implemented correctly, DevSecOps represents the best of both worlds: not only does it speed up security processes, but it can also make code more secure. If you’ve already got the crucial components for DevOps in place, and are now looking to scale your startup without compromising security, DevSecOps is the way to do this.