Managing the software development lifecycle, aka SDLC, can be expensive in most organizations. It also presents a range of complex challenges that teams must manage throughout that cycle. These include timely delivery of quality code (no small challenge in and of itself), along with the need to accommodate customer input and requests, deliver a positive user experience, protect against risks and exposures, and ensure compliance with applicable data privacy and protection rules and regulations. Some of the biggest challenges stem from managing communications, ensuring an adequate development flow, and avoiding unplanned and unwanted disruptions and rework. Anything that slows down development ultimately boosts costs and reduces its ROI. In large part, this explains the impetus to integrate security into DevOps approaches and methods.
At a high level, DevOps is best understood as a set of methods, tools, and processes that integrate development, testing, and code deployment, following continuous integration and continuous deployment (CI/CD) practices. Frequent builds are frequently tested and, when ready, frequently transition from the development arena into production. What application security brings to this mix is continuous integration of security understanding and intelligence into design, build, test, and maintenance cycles. Thus, security becomes a part of the process for the entire SDLC, and security factors play an especially important role in testing (thanks to integration and prioritization of current security intelligence) and maintenance (to make sure that code in production use is subject to continuous security monitoring and remediation, when it’s needed).
The real strength of DevOps lies in its powerful integration of design, testing, deployment, and maintenance efforts. DevSecOps is even more powerful because it uses the same ongoing, consistent, and tightly integrated approach to making sure that security issues are addressed throughout the SDLC, as well as code quality, ongoing improvements in performance and reliability, enhancements to functions and capabilities, and rapid, agile development processes.
Security exposures and vulnerabilities expose organizations’ code to a variety of risks. These include (but are not limited to):
Simply put, by integrating security directly into their development processes, companies can avoid or mitigate the risks that too often result should they deploy vulnerable or unsecured application code into production. In fact, DevSecOps ensures that security pervades the entire development lifecycle, creating more secure code from the outset and enabling threat and security intelligence to identify and address potential vulnerabilities and exposures before they can impact production code in the field. This means a substantial reduction in exposure to all of the risks described in the preceding list, all of which can incur substantial costs, both tangible and intangible, especially those that lead to legal or regulatory difficulties, or damage to brand(s) and reputation.
In fact, DevSecOps offers additional benefits above and beyond improved security posture and reduced exposure to risk. By integrating current security intelligence into development, testing, and delivery processes, DevSecOps prevents schedule disruptions that can arise when urgent vulnerabilities are identified and require immediate attention. DevSecOps ensures that these issues will be addressed in the next update cycle and guarantees that this will happen sooner, not later. DevSecOps also helps shorten the development cycle, allowing companies to handle and integrate changes (including those driven by security, as well as other concerns) without slowing workflow.
Very few worthwhile software development projects occur nowadays without involving third parties. This includes the companies that provide tools, platforms, and services (e.g., GitHub, Slack, and so forth) as well as companies or open source organizations that provide building blocks for outright implementation (code frameworks and libraries, application programming interfaces (APIs), middleware, and so on). Companies need to manage risks that arise from this supply chain (as recent major incidents involving SolarWinds and Microsoft Exchange clearly illustrate), as well as monitor and manage risks that third-party components in their code can pose, whether proprietary or open source.
A recent Accenture study reports that “some of the most important risk management capabilities in which companies can invest are those that can provide greater visibility into operations.” This means that companies should carefully attend to the development tools, services, and platforms they consume, as well as the third-party software components they integrate into their codebases. In Accenture’s words, this will allow them to “collect and analyze rich data across the supply chain so they can identify developments that could affect their operations and mobilize to respond when necessary.” Furthermore, Accenture also observes that “Companies should consider investing in capabilities that enable them to effectively monitor their supply chain in real time so they can identify potential threats and proactively respond before they become real problems…”
This kind of language not only highlights the importance of keeping up with the overall supply chain, especially as it relates to in-house development and code delivery. It also reinforces that the real value and contribution of the Sec part of DevSecOps comes from cultivating a security-first mindset.
