While business demand for DevOps in recent years shows the growing need for agile operations amongst tech and operational teams across a wide range of industries, it has also revealed that traditional manual security testing processes no longer cut it. The reality is that traditional development methods lack the agility needed to keep up with modern security needs. So how do businesses keep their security processes aligned? Enter: DevSecOps.
The purpose of this new collaborative discipline is to build the mindset that everyone in the organisation is responsible for security. However, while this mindset lends itself to a cooperative system between business and security, there are challenges in bringing DevSecOps to life, and making sure it delivers the right outcomes for the business and its customers.
Filling the security gap at the source
The time at which software is most at risk is during the test phase – when code is promoted between environments and the breadth of automated testing performed. Because many products today (software and apps) are developed and tested without a layer of security at their core, many of these products are prone to back doors. Traditional security processes aren’t enough because they are often performed manually as a last step in the release of software or a product.
In an era where customer trust is everything and where regulators are putting more pressure on companies to protect data and customers’ personal information, failing to deliver a secure product isn’t optional. It can impact anything from a company’s reputation to its share price.
However, implementing security at the development layer presents a challenge for businesses because DevOps experts often don’t possess the necessary security expertise to do so. This leads us into the biggest challenge for businesses: finding the right people with the right skills. In fact, in 2018 Indeed revealed that Australia only has 7 percent of the cybersecurity expertise that it needs.
Today, security operates in silos and security experts are not communicating enough with engineers and developers. Because of this, businesses need to seek out DevOps experts who also have knowledge in security, or bring a third security expert to the party.
Fortunately, there are platforms that businesses can utilise to train developers in security such as those offered by Pluralsight, a technology learning platform, and Secure Code Warrior which gamifies security training. Services like these can help businesses train and equip developers to think and act with a security mindset every day. They also enable businesses to keep up with the speed of technology, work smarter and faster, and gain in-demand skills in areas like cloud, mobile, security and data.
Learning from the cloud model
Cloud has been really good at teaching us how well technology can integrate together. Businesses today can manage all integrated products seamlessly within the cloud. It's about applying that concept to the organisation. Security, development, and operations are all aspects of the business that need to be integrated.
DevSecOps is directly drawing lessons from the cloud path – it’s all about having a holistic view of security and integrating different parts of the puzzle so every piece of technology developed and delivered meets different types of requirements, including the need for security.
Automation has proven to be a useful tool, giving businesses the agility needed to keep up with the rapid pace of modern business. With DevSecOps, companies can move away from manual testing to automatic testing to mitigate the risk of a security breach. However, in order to get there, organisations need to make the effort to set a culture of responsibility – the benefits of which stretch further than just security.
DevSecOps: an organisational imperative
By mandating and investing in the right tools and practices that mitigate risk within the development cycle, the DevSecOps discipline gives businesses more credibility in their security practices – a standardised way to promote and test software securely. This in itself is a selling point for businesses because many companies look for a partner with a clear set of practices that act almost like an insurance policy for their own business.
It also means that the cost of remediation after a product goes live is significantly less because security has been factored in at the point of product conception. Moreover, this collaborative foundation also supports the generation of new creative ideas and problem solving. By tightening the relationship between development, security, and operations teams, a holistic view of the technology of a business can be clearly mapped.
Today, technology is rapidly advancing and it is our responsibility as technology experts to ensure that we too advance with it. However, it is important that organisations implement DevSecOps incrementally and overtime to standardise these practices. A steady transition, with a focus on the automation aspect, will ensure that these practices suit the organisation itself.
However, businesses cannot hope to achieve a true integration of security, development, and operations without first laying the cultural foundation in which a discipline that puts the responsibility of security on everyone.