DevOps practices allow for development and operations to build, test, release and design software far faster and with greater agility. Its foundations are collaboration and speed, connecting silos and creating teams that can work more efficiently and productively. It’s iterative, it’s fast, and it relentlessly aligns with business strategy, but often it has left another silo out in the cold – security. DevSecOps has become an increasingly popular term as organisations realise the importance of integrating security into the DevOps process. Instead of solutions tacking on security as an afterthought, they are designed with robust security principles in mind. According to Mandla Mbonambi, CEO of Africonology, it’s a substantial shift in thinking that delivers significant, long-term benefits.
Opposing forces
One of the biggest challenges faced by most organisations is balancing the needs of security against the demands of agility. Security is constantly closing the doors and windows to prevent the bad stuff from getting in while DevOps teams want to leave them open as they’re the fastest way of getting things done. This often causes bottlenecks and slow-downs as software is restrained by the security that’s added on at the end of the process. With DevSecOps, the goal is to bring the opposing forces together by removing the siloed thinking between DevOps and security. With this high level of engagement across teams, the process is inclusive of security requirements and considerations and improves communication and collaboration. Challenges in software or solution are uncovered early and fast with constant security testing in iterations across the delivery cycles.
Secure agility
The State of Software Security Today report by Veracode found that the DevSecOps unicorn does exist and it does see significant security benefits. Those companies that have active DevSecOps programs fix flaws 11.5% faster than those without. The ability to embed security checks into every part of every build on a continuous basis drives ongoing security and stability. Vulnerabilities and issues in code and design are addressed as and when they are found and this makes it easier, overall, to manage improvements and capabilities. The same report found that around 85% of all applications have at least one vulnerability of a high or very high severity – this is why DevSecOps makes sense. The vulnerabilities are caught fast and often.
Shared responsibility
The Cloud Security Alliance (CSA) recently released the Six Pillars of DevSecOps which outlines some of the most important steps every organisation should be taking to mitigate the security threat and the first pillar is perhaps the most critical – collective responsibility. By embedding a culture of DevSecOps into the business, responsibility for security shifts from IT to everyone and this change in dialogue is critical for sustainable business security.
“Everyone is responsible for security,” says Mbonambi. “It’s not just the IT department or the Chief Security Officer or whichever department has been tasked with the role of securing the organisation. From the employee that needs to understand secure behaviour to cross-silo interaction and collaboration, security must be integrated into all aspects of the business and its development.”
The ongoing threat
“There are so many reports and statistics outlining the threats that are looming over the organisation that it’s hard to turn without seeing another breach, discovered hack or ransomware attack,” says Mbonambi. “The landscape is volatile and the cybercriminal has evolved to become incredibly sophisticated and committed. This is why DevSecOps has become so important.”
DevSecOps allows for the organisation to become as agile in its security as the cybercriminal is in tearing it down. Constant scanning, assessment, iteration, vulnerability detection, and posture assessment reduces risk and introduces a greater chance of catching the problems before they turn the business into another statistic.
As a service
DevSecOps isn’t limited to internal team collaboration to resolve issues or build solutions, it can be integrated into the business through the use of trusted experts and advisors. DevSecOps-as-a-Service allows for the organisation to harness the expertise and insights of skilled security and testing service providers, getting all the benefits of agility and iteration within specific business parameters while bypassing the endless void that defines cybersecurity and DevOps skills availability. Skills are, and look set to remain, a challenge for most organisations. Talented security, testing, and development people who understand the value of DevSecOps are rare, expensive and elusive.
“Working with a partner to build a robust DevSecOps posture ensures that the business remains as agile as possible without compromising on security,” concludes Mbonambi. “The right partner will collaborate as closely with the relevant teams as any silo embedded within the business and will work with existing security teams to ensure that every aspect of the process is aligned with strategy and outcomes. DevSecOps-as-a-Service ensures that no organisation is left behind.”