What is DevSecOps and why is it important?

This new flavour of DevOps is helping organisations rapidly implement security by design

To stand out against their competition, many organisations seek to roll out software updates more quickly and frequently so that they’re constantly responding to customer needs. In recent years, this has pushed forward the DevOps movement, which conjoins teams from software development and IT operations to streamline software and app creation and quickly implement updates or patches.

As efficient as DevOps is, however, it can be lacking on the security front. If you don’t build security into your software and apps from the start, you open your organisation up to a whole host of problems.

Security by design

DevSecOps is a solution to this, in which security is built into the development lifecycle. Security decisions are made at the same time as development and operational decisions, incorporating security into applications from the beginning rather than hastily applying it when issues arise.

The imperative for privacy and security by design has grown in urgency following the introduction of GDPR in 2018, which brought far tougher data protection measures and a greater emphasis on responsibility and transparency. According to Geoff Parkhurst, CTO of Vouchercloud, the risk to companies’ bottom lines has pressed them to implement security practices as high up the chain as possible,

Through a DevSecOps framework, security becomes a natural component of the development process. It’s also easier and cheaper for security measures to be built into the software from the beginning, and, by pre-empting breaches down the line, you achieve both improved security and customer satisfaction.

Keeping ahead of the criminals

Any company that wants to boost efficiencies and build secure software should use DevSecOps advises Derek Weeks, co-founder of the online community All Day DevOps. He notes that in the past decade the time between a vulnerability announcement and its exploits appearing in the wild have been crunched from 45 days to just three.

“For example, with the last major Struts vulnerability, multiple breaches occurred within three days of the vulnerability announcement at organisations including Equifax, Okinawa Power, GMO Payment Gateway and Canada Statistics. Teams that cannot deploy security updates within this timescale find themselves at significantly more risk of successful adversarial attacks.” 

In Sonatype’s DevSecOps Community Survey, which asked nearly 6,000 IT professionals why they have implemented DevSecOps practices, Kayla Altepeter, a senior staff engineer at Merrill Corporation, said: “Security is important to us, yet if we take a traditional security approach our speed of development is severely slowed down. We need to be secure and move fast”.

This perfectly captures why DevSecOps matters, says Weeks. “It’s not just about automating. It’s about automating faster than evil.”

Implementing DevSecOps also gives businesses a chance to reassess who has access to what systems and information. As Schoenfeld points out, “despite how convenient it may be, it’s a really bad idea to allow everyone complete access to everything”. Companies need to use DevSecOps to limit access across the company so that only people who need privilege across the system can use it. 

“This way enterprises can reduce the number of potential breaches, creating a more robust cyber security position,” he notes. 

Downsides to DevSecOps?

Security does need to be built-in as part of the culture, but although DevSecOps certainly points business leaders in the right direction, Parkhurst believes it still needs time to reach maturity. He’s concerned that it’s become a buzzword, which could mean it turns into a box-ticking exercise allowing businesses to say they’re “doing” DevSecOps without it actually implementing it correctly.

“What I’ve seen – and this is a risk with any new buzzword-led process – is half-hearted adoption. The risk is that, instead of shifting security left, businesses just shift the person responsible for the security to the left…That’s always the risk with the latest ‘big thing’, that some well-meaning project manager or tech leader will try to push changes through without fully considering the ecosystem. 

“The result is a security specialist now sitting closer to the start of the process. That’s certainly a slight benefit but the overall perception of security as a big stop sign for developers will still be a reality. It solves nothing.” 

Culture change challenges 

Then there’s the challenge of DevSecOps adoption, as this requires a complete cultural change within the business. This can be particularly difficult if companies already have a rigid development process and different security procedures in place, notes Schoenfeld.

Related Resource

The secure DevOps imperative

Research-based best practices

Download now

Liz Rice, chair of the Cloud Native Computing Foundation’s (CNCF) Technical Oversight Committee, advises that it’s important to empower employees and encourage them to adopt tools and processes that support their new style of working, especially in security, where the traditional tools are no longer sufficient. She points out that companies adopting DevSecOps must invest in significant education for staff, as these new tools and processes will also require their users to learn new skills

“The transition is not simply a question of flipping a switch,” agrees Steven Furnell, a senior member of the IEEE and associate dean and professor of Information Security at the University of Plymouth. “It requires additional effort, such as ensuring staff are fully skilled or trained, and equipped with the necessary tools. As such it will require a culture change. As with many aspects of security there’s a price to pay but it should be seen as an investment rather than an overhead.”

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

PwnedPiper flaws threaten infrastructure of 80% of US hospitals
Security

PwnedPiper flaws threaten infrastructure of 80% of US hospitals

2 Aug 2021
How to use machine learning and AI in cyber security
Security

How to use machine learning and AI in cyber security

30 Jul 2021
Chipotle’s marketing email hacked to send phishing emails
phishing

Chipotle’s marketing email hacked to send phishing emails

29 Jul 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

29 Jul 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021