Published Feb 22, 2019
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
As the DevOps approach to applications and development is rapidly expanding across businesses sectors, there’s a growing need for security. In part, the ability to speed up the development lifecycle while simultaneously breaking down silos and gluing IT infrastructure to collaboration is a necessity to stay agile in the ever-expansive digital age. But, there’s a certain aura of competitiveness fueling the DevOps approach. After all, if your competitors have a well-executed DevOps approach to their lifecycle, they are certainly going to beat you to market, and possibly create a more robust, stable app while they’re at it.
But, what about security? How do you hinge security to an aggressive, highly-collaborative effort live DevOps? Does spot-checking security threats and reacting to them post-launch make sense in a world where the software cycle needs to be lightning fast, and collaboration is at an all-time high? In reaction to this new skeleton of app design and launch, there need to be new processes for handling security — processes like DevSecOps.
If DevSecOps is the process of redesigning the dev lifecycle to include more collaboration, less data siloing, and improved automation in an attempt to rapidly scale and produce resilient software, then DevSecOps is the process of gluing security to the DevOps skeleton. In other words, DevSecOps involves baking security into the entire development lifecycle — not just as a granular container within that lifecycle.
Since DevOps involves disrupting the classic “he does, she does” approach and refiguring all people within the app lifecycle to be aligned to the outcome of the product — not their individual departments, DevSecOps is about embedding security into that process. So, the software production line is no longer about passing off the responsibility of security; instead, security is baked into the entire lifecycle, and security responsibility becomes hinged to application success for everyone.
Why is DevSecOps Important?
In a sense, DevSecOps is about proactiveness and security continuity. In an environment where nearly 70% of EVERY application uses reusable software components, finding a way to eliminate the inherited vulnerabilities contained within these components is critical. To be clear, security is a big deal in the modern SDLC. In a world where one information breach can cost $4 billion and security vulnerabilities increase year-over-year, combating the wave of attacks requires a proactive mindset and a realignment of goals.
But, let’s clarify. DevSecOps isn’t necessarily a reaction to the state of cybersecurity; it’s a mindset that helps streamline security efforts and prevent revenue leakage.
Let’s go over some reasons that DevSecOps is a critical component of the DevOps process and how it can ultimately improve your SDLC. Here are five reasons that the global DevSecOps market is expected to growth 33.7% year-over-year from 2017 to 2023.
1. Responsibility Clarity
Compartmentalizing security creates a responsibility gap between departments. Once it’s determined that security is the direct responsibility of security teams (and security teams alone) security becomes reactionary during the development process. DevSecOps introduces security as a solution that encompasses the entire dev process (i.e., planning, creation, verification, configuration, prepod, release, monitor.)
This way, security becomes everyone’s responsibility, and the entire project is hinged to vulnerability protection and prevention.
2. Shifting Left Reduces Frictions
For years, security has been a post-release (or post config) concern. DevSecOps shifts those security concerns left and introduces security (via DAST, SAST, etc.) into the entire lifecycle — including the planning phase. Traditional security requires an unbalanced work distribution. An API can be developed in a week, and it may take multiple weeks to secure — especially given the number of open-source containers tacked onto most projects.
To nail DevSecOps, an organization has to be practicing DevOps to some degree in the first place. In fact, organizations that utilize a mature DevOps lifecycle are 338% more likely to integrate security across their SDLC. Why? To bake security into the DevOps process, you have to already have a mature enough SDLC to spread that responsibility and the architecture to promote the collaboration that it’s going to require.
3. Bye-Bye Bandaids
Approaching security in the latter part of the dev cycle is bound to cause issues. To be clear, security isn’t what it used to be. The cybersecurity monster isn’t under-the-bed waiting for launch to poke holes into your infrastructure. It’s sitting on your bed, pouring through GitHub, and looking for any hole in your framework (especially OSS) before you even start the design process.
This means that agility is crucial in the modern security cycle. You have to be proactive and reactive. Slapping a band-aid fix onto a launched app, only to repeat that processes over-and-over throughout the app’s lifecycle is costly, ineffective, and, ultimately, vulnerable. DevSecOps lets security worm its way into each stage in the app’s creation chain, which means band-aids go out the door, and you get an MRI machine instead. The goal of DevSecOps is to find security vulnerabilities before they’re security problems.
4. Baked in Automation
A considerable value proposition of DevSecOps is that it promotes baked in automation across the dev lifecycle. Since security is no longer a secondary concern and cost, and, instead, it’s glued to the entire app itself, automation becomes natural. Whether that’s automated scanners, security checkers, or even automated testing, the ability to reduce mundanity for security developers is fundamentally game-changing.
With DevSecOps, compliance becomes easier, threats are reduced from the first stage, and revenue leakage is prevented down the road. Of course, for automation to become a part of the SDLC, security needs to be centralized and collaborative. That’s precisely what DevSecOps does for development.
5. Speed Racer
In most businesses, developers outnumber appsec employees by 100 to 1. So, it’s no wonder that the average app can take longer to security check than develop. DevSecOps changes this paradigm by introducing appsec employees from the first phase in the development lifecycle. So, not only do appsec employees have more time with applications and a deeper understanding of applications throughout their development chain, but they can collaborate directly with developers to breed new and improved security strategies for everyone.
This means better speed-to-security and a better security presence for apps.
As businesses adopt mature DevOps into their app lifecycle, there’s a growing need for security agility. Vulnerabilities are a massive headache for the current development space, especially when the app cycle is shrinking and app complexity is growing. All of the open source containers and recycled software components introduce incredible frictions into the SDLC.
DevSecOps meets these concerns by breeding security into every layer of development. This approach to security gives devs a robust toolkit that they can use to improve their overall security architecture.
Today, we highlighted five benefits of DevSecOps. But, there are plenty of other benefits — broad and granular — to the DevSecOps approach. If you’re looking for additional resources, check out some of our supporting documents or request a free demo and see for yourself how to secure your apps from the start.