At its core, DevSecOps involves ” integrating security practices within DevOps.” According to the analysts at Gartner, we will see a rapid increase from 15% of development teams in 2017 using DevSecOps to 80% by 2021. Meanwhile, analysts at Forrester found that one of the top priorities for security and risk professionals in 2019 is moving from DevOps to DevSecOps.
What is driving this rapid adoption? I believe the cybersecurity challenges posed by organizations’ digital transformations and the shift to a fast-moving digital world are key factors here. In this world, cybersecurity challenges are very real, and they’re becoming harder to manage. Barely a day goes by without us reading about another organization that has suffered an attack.
Unfortunately, all of this has suddenly become very personal, as some of my personal information was caught up in a couple of the major data breaches of these last years. I have had to struggle with the implications of having my personal data stolen, just as many business owners have over these recent years.
Modern Software Products Are Not Created In Isolation.
One of the core challenges for many organizations in today’s digital world is that they must create powerful customer experiences. But this is simply not possible to do so in isolation. Third-party integrations are often what distinguishes your product or service from the competition – whether that’s integrating real-time weather data or processing payments. Almost every modern application will include some third-party or open source software, and when developers use such third-party libraries, they can easily introduce vulnerabilities. The speed at which organizations want to release software, particularly with DevOps, means you need the right processes and tools in place. It’s here that DevSecOps provides tremendous value to organizations – because it embeds privacy, security and compliance practices into your DevOps, thus enabling you to continue to operate at a high speed, but with enhanced cybersecurity.
Let’s review this trend in the context of a specific industry: banking. We’re seeing a fascinating dynamic where traditional banks and modern fintech (financial tech) companies are increasingly partnering with each other. But as traditional banks open up their technology environments to create new products, and simultaneously aim to create new products faster like their fintech counterparts, then they face new security threats. DevSecOps can provide the processes and tools that enable banks to lower their risk when opening up their technology environments to create these modern applications.
DevSecOps Builds Security Into Development Processes
Put simply, the digital world moves fast – and this means enterprises struggle to keep up with ever-changing customer demands. This puts cybersecurity teams under pressure to keep up, particularly with high-velocity development teams. DevSecOps is highly attractive in these circumstances because it builds security best practices into the core of the software product development life cycle. And these are practices that can scale and that you can automate. It involves integrating security practices into every area of software development, from your infrastructure, your continuous integration and continuous delivery pipelines and applications to your network’s borders.
DevSecOps And Agile Development
Cybersecurity practices, for too long, have been left to one side, as security practices failed to adjust to new ways of working – particularly in light of the shift from Waterfall to Agile development approaches. The combination of Agile and DevOps is incredibly powerful. It’s as if you’ve put your software development efforts “on steroids.” The challenge, however, is that many security tools and processes have not kept up with this pace of change and are not ideal for fast-moving technology teams. But with DevSecOps, organizations can “automate” security throughout the development process, from the design of the application to its production. The reason I’ve used quotes is that, in this context, automation does not mean things will just run on their own. There still needs to be a very significant human effort on an ongoing basis, as no single tool or even suite can solve all of your security concerns. However, they can certainly help automate many of the tasks – so that more brainpower can be devoted to where humans can make the biggest difference.
Getting started with DevSecOps is more complex than what I can outline here, but based on my experience, I suggest starting with the following key actions:
* Start with security practices as early as possible in the software development life cycle. From the very start, whether you’re considering the design of your application or evaluating its underlying architecture, make sure security considerations are top-of-mind. Bring in threat-modeling and risk assessments as soon as possible.
* Invest in cybersecurity software for your DevSecOps pipelines. There are more and more cybersecurity tools available – security as code and compliance as code are a couple of examples. Compliance as code involves, quite simply, codifying your compliance requirements, which can then be automatically deployed. This can help you immediately understand your exposure to risk.
* Help developers become aware of how to code securely and need to understand security best practices. Applications must adhere to the best practices of information security, including data integrity, availability and confidentiality. Focus on security education and training and work with security and risk professionals who have more security expertise than individual developers. Use examples of hacks that have taken place in the news to emphasize the importance of security to your team. Even further, make it personal if you have suffered an attack.
Remember that DevSecOps represents an evolution from existing DevOps practices. Ultimately, it should help increase quality while lowering product and organizational risk. There’s no point in being the first to market with an impressive new software product, only to find it has major security flaws.
Article by channel:
Everything you need to know about Digital Transformation
The best articles, news and events direct to your inbox
Read more articles tagged: DevOps