According to PWC’s 2021 survey, half of enterprise executives are now considering cybersecurity in every business decision. This security-first approach can include techniques such as multi-factor authentication, artificial intelligence and more — but DevSecOps is one of the most frequently talked about solutions to increased security threats. So, what is it and is it really the answer?
What is DevSecOps?
Development Security Operations (DevSecOps) is an approach to security that utilises an Agile framework — breaking down traditional silos to maximise speed and efficiency. Traditional silo-based approaches resulted in a production bottleneck once a completed software had been passed over to security teams, but DevSecOps overcomes this issue.
DevSecOps prioritises security from the start, continually testing for vulnerabilities throughout development and automating key security processes. Automated tools such as web application firewalls, open source software governance and intrusion detection systems are commonly used to streamline a DevSecOps approach, while cross-functional teams prevent a production bottleneck.
According to a 2020 survey by Sonatype, DevSecOps teams have fewer open source related breaches, and the majority deployed to production at least once a week. Almost half of DevSecOps teams said that they still didn’t have enough time to spend on security, but had built in more automation, meaning that security was being assessed throughout the process. Finally, the more evolved a DevSecOps team was, the higher their employee satisfaction.
As well as being faster and more secure, DevSecOps allowed for the sharing of multi-disciplinary knowledge. By working with development operations, security professionals can gain a better understanding of how the software works. This allows them to better understand the DevOps team’s priorities. For example, security professionals usually advocate for a thorough encryption approach, but DevOps are focused on software performance — which encryption can sometimes reduce. By working together, the teams can strike the perfect balance between contrasting needs.
DevSecOps offers huge potential, so why isn’t everyone using this approach? A commonly cited issue is the culture clash between a high-speed, pressurised DevOps approach and more traditional, cautious security practices. Most commonly, security is integrated with an existing DevOps team, meaning that security professionals are viewed as the outsiders. This, combined with entrenched preconceptions about security — that it is something that happens later or may even stifle innovation — can lead to conflict between teams.
Security Compass’s ‘2021 State of DevSecOps’ report also highlighted technical challenges, cost, lack of time and lack of education as issues holding back adoption of DevSecOps. In addition, while automation is an important aspect of the DevSecOps approach, the surveyed participants still felt implementation was insufficient and that they were being slowed down by manual security processes.
Clearly, successful DevSecOps adoption doesn’t just happen, it has to be nurtured. Cultural clash can be overcome by appointing a ‘security champion’ within the DevOps team who emphasises the importance of security and facilitates communication between teams. It can also help to have leadership explain the businesses case for improvement, so that teams understand the rewards for working through any teething difficulties.
It’s equally vital to invest in automation. It’s a cornerstone of DevSecOps and yet still under-utilised. No matter how hard you work to prevent potential cultural clash between teams, if integrating security into development really does slow down the process, then resentment is inevitable. Using automation to streamline security could make the difference between a successful or failed DevSecOps adoption. Finally, most developers are not taught how to write secure code — according to Forrester, even the top Computer Science courses feature little security training, so it’s important to support education in this area.
It’s clear that DevSecOps isn’t a panacea for the climate of increasing security threats. It comes with its own set of challenges and if implemented incorrectly, could end up causing more hassle than it’s worth. However, with the right attitude and commitment, you could end up with a well-oiled DevSecOps team who write secure code as second nature.