What is DevSecOps and why is it important?
This new flavour of DevOps is helping organisations rapidly implement security by design
The ability to make software updates quickly and frequently has become one of the ways organisations seek to stand out against the competition and is what’s pushed forward the DevOps movement in recent years.
However, if you don’t build security into this automated pipeline then there will be problems. As Liz Rice, chair of the Cloud Native Computing Foundation’s (CNCF) Technical Oversight Committee points out: “It’s either going to hold up the delivery of new functionality, or it’s going to be left out – and that would be dangerous for a business and its customers’ data.”
This has led to a growth in DevSecOps, where security is planned and built into the development lifecycle, and businesses’ development, operation and security departments work closer together than ever before.
Security by design
Privacy and security by design has really come into its own following the introduction of GDPR, as it moved away from being best practice to “do this, or you’ll see thousands in fines,” says Geoff Parkhurst, CTO of vouchercloud.
“This is encouraging the ‘plumbing-in’ of security aspects as high up the chain as possible. A lack of security now has a direct impact on the bottom line, rather than some potential of a breach or cyberattack,” he notes.
Indeed, if companies make security a natural, organic part of the development process it gets implemented well. This way security features are determined early in the development cycle – when it’s much easier for them to be built into software, rather than added on “expensively and perhaps in a tortured or hacked manner too late in the process to be designed properly,” notes industry expert and author Brook Schoenfeld.
Keeping ahead of the criminals
Any company that wants to boost efficiencies and build secure software should use DevSecOps advises Derek Weeks, co-founder of the online community All Day DevOps. He notes that in the past decade the time between a vulnerability announcement and its exploits appearing in the wild have been crunched from 45 days to just three.
“For example, with the last major Struts vulnerability, multiple breaches occurred within three days of the vulnerability announcement at organisations including Equifax, Okinawa Power, GMO Payment Gateway and Canada Statistics. Teams that cannot deploy security updates within this timescale find themselves at significantly more risk of successful adversarial attacks.”
In Sonatype’s DevSecOps Community Survey, which asked nearly 6,000 IT professionals why they have implemented DevSecOps practices, Kayla Altepeter, a senior staff engineer at Merrill Corporation, said: “Security is important to us, yet if we take a traditional security approach our speed of development is severely slowed down. We need to be secure and move fast”. This perfectly captures why DevSecOps matters, says Weeks. “It’s not just about automating. It’s about automating faster than evil.”
Implementing DevSecOps also gives businesses a chance to reassess who has access to what systems and information. As Schoenfeld points out, “despite how convenient it may be, it’s a really bad idea to allow everyone complete access to everything”. Companies need to use DevSecOps to limit access across the company so that only people who need privilege across the system can use it.
“This way enterprises can reduce the number of potential breaches, creating a more robust cybersecurity position,” he notes.
Downsides to DevSecOps?
Security does need to be built-in as part of the culture, but although DevSecOps certainly points business leaders in the right direction, Parkhurst believes it still needs time to reach maturity. He’s concerned that it’s become a buzzword, which could mean it turns into a box ticking exercise allowing businesses to say they’re “doing” DevSecOps without it actually being implemented correctly.
“What I’ve seen – and this is a risk with any new buzzword-led process – is half-hearted adoption. The risk is that, instead of shifting security left, businesses just shift the person responsible for the security to the left…That’s always the risk with the latest ‘big thing’, that some well-meaning project manager or tech leader will try to push changes through without fully considering the ecosystem.
“The result is a security specialist now sitting closer to the start of the process. That’s certainly a slight benefit but the overall perception of security as a big stop sign for developers will still be a reality. It solves nothing.”
Culture change challenges
Then there’s the challenge of DevSecOps adoption, as this requires a complete cultural change within the business. This can be particularly difficult if companies already have a rigid development process and different security procedures in place, notes Schoenfeld.
Rice advises that it’s important to empower employees and encourage them to adopt tools and processes that support their new style of working, especially in security, where the traditional tools are no longer sufficient. She points out that companies adopting DevSecOps must invest in significant education for staff, as these new tools and processes will also require their users to learn new skills.
“The transition is not simply a question of flipping a switch,” agrees Steven Furnell, a senior member of the IEEE and associate dean and professor of Information Security at the University of Plymouth. “It requires additional effort, such as ensuring staff are fully skilled or trained, and equipped with the necessary tools. As such it will require a culture change. As with many aspects of security there’s a price to pay but it should be seen as an investment rather than an overhead.”