The DevOps methodology is being embraced by many firms – and to great effect. However, in the past, security was often missed as companies rushed to build and release products ahead of their competitors.
Enter DevSecOps: a methodology that builds security into every step of the development process. This approach offers multiple benefits, including reduced costs and faster delivery because security problems are dealt with as they arise.
DevOps breaks down barriers between operations and engineering teams, providing high-quality collaboration and communication. DevSecOps, on the other hand, is designed to integrate security throughout DevOps workflows in a way that is transparent to developers, says Meera Rao, senior principal consultant at Synopsys.
Indeed, in DevSecOps, security practices are built into the development lifecycle, says Derek Weeks, VP and DevOps advocate at Sonatype. “They are also being integrated early in the lifecycle and across it, in a way that operates at scale.”
How DevOps works in the enterprise
Among the benefits, says Nigel Kersten VP of ecosystem engineering at Puppet: “It’s about security being part of the design: if we have a world where we can push out changes really quickly, we can recover much faster.”
In addition, DevSecOps allows security to be “on the same page” as development, says Brook Schoenfield, master security architect at IOActive. “When security becomes a natural and organic part of the development process, it gets implemented well.”
The benefits are clear. DevSecOps creates a repeatable and auditable process that security teams can count on and budget for. “It enables security strategies to adapt more quickly to meet the challenges of changing business goals and evolving threats,” Rao says.
Many firms are already realising the efficiency gains offered by DevSecOps – especially those that were already embracing DevOps. According to a recent report by Sonatype, 81% of organisations with “elite” DevSecOps programmes have a cyber security response plan in place, versus 62% of those without. Elite DevSecOps companies are also three times more likely to provide application security training.
So, how can businesses adopt this methodology? The first step is to think about what your company wants to achieve from DevSecOps. “The first thing you need to do is meet with the development team and leaders and talk about the outcomes you want to achieve as an organisation,” says Weeks.
For example, he asks: “Do we want secure code? Do we want security to come in and integrate with development practices?”
Once these decisions have been made, companies can consider automated tooling, says Weeks.
As part of this, automation of static application security testing (SAST) tools is an important component of DevSecOps adoption, says Rao. “It drives code efficiency and consistency, as well as helping to detect defects early.”
Why do we need DevOps? For the business and consumer
Rao also recommends SAST integrated development environment (IDE) plugins. “Development teams often take shortcuts to hit milestones or stay within budget constraints. To help developers avoid mistakes and eliminate the related risks, SAST IDE plugins provide just-in-time security guidance by scanning code as it is written, rather than after it is committed to version control.”
It’s also important to understand when and how to ‘break the build’ effectively. “In the past, breaking the build might have caused consternation to development teams: In fact, it’s essential when critical, high-risk issues and vulnerabilities are discovered at any point during the software development lifecycle,” says Rao.
Automation can make security more efficient, says Schoenfield. However, at the same time, he warns that not all security can be automated. “The danger for security is in the devil’s mindset: there is a misconception that security tooling has got so good, it’s just a matter of running the right tools or tests and you are secure.”
He concedes that although there are tools attempting to automate, “significant human analysis” is still required.
There can also be organisational challenges to overcome when implementing DevSecOps. For example, collaborative efforts can be hindered if teams see the security processes as a barrier. “While security wants to keep things safe, development is striving to move fast and deliver to customers who are using the software,” Weeks says.
It’s therefore important for employees to understand that processes weren’t invented to make life difficult, says Kersten. “When development teams work with security, they need to realise that processes are there for a reason.”
It means developers often need to change the way they think. For example, DevSecOps requires a deeper understanding of the simple mistakes that can be made when developing software, says Paul Farrington, EMEA CTO at Veracode.
He points out that open source software can be a risk. “Developers will often choose to put this in their apps. Therefore, they need to be thinking about the software supply chain and understand where the vulnerabilities exist in open source components.”
At the same time, collaboration across the business is key. “This needs to be continuous – across development, security, operations teams, and the rest of the business,” Rao advises.
Weeks agrees. “It starts with communication first and tooling comes second,” he says. “You need to work out your expectations and communicate them. People want to be as fast as Netflix and Uber but for the chief information security officer (CISO) there is a challenge: as quick as you want to be internally, externally there are adversaries.
“Attackers are moving quickly and if you can’t make a security change for a month, you are at risk for 28 days. CISOs need to talk to the development team about this.”
Overall, firms should treat security problems like quality issues, Rao says. “Ignoring bugs won’t make them go away. Instead of waiting until after bugs and vulnerabilities wreak havoc on your applications, treat them like any other bug within your DevSecOps process.”
DevSecOps, like DevOps, relies on strong collaboration and willingness to change across the business. Some of it comes down to logistics. Weeks advises firms to “mesh people together so security teams sit with development and help guide practices.”
But in smart organisations, security teams aren’t just sitting in development, Weeks says: “They are attacking the code immediately so they can give feedback loops straight away.”
Nominations are OPEN for the Tech Leaders Awards, organised by Information Age and taking place on 12th September 2019 at the Royal Lancaster, London. Categories include CIO of the Year, CTO of the Year, Digital Leader of the Year and Security Leader of the Year. Recognise and reward excellence in the tech industry by submitting a nomination today