Dr Chris Boorman, Vice President of Marketing for EMEA, CA Technologies and the Global Head of Marketing for CA Automation makes the business case for putting security at the heart of DevOps.
“Development, operations and security are fundamentally intertwined. A well-designed, developed and managed system is the foundation of a secure system. DevOps must evolve to a new vision (that) balances the need for speed and agility of enterprise IT capabilities with the enterprise need to protect critical assets, applications and services.”
Gartner analyst Neil MacDonald wrote those words in 2012 when he and colleague Cameron Haight first introduced the concept of DevSecOps – the seamless integration of security experts, processes and tools with DevOps workflows so that security is a priority throughout the development pipeline rather than tacked on at the end.
More than five years later, DevSecOps has become one of those trendy acronyms that gets a good deal of attention in the IT trade press and at conferences, but many businesses are still working to find that balance between accelerated development cycles and a “security is everybody’s responsibility” mindset.
Despite DevSecOps’ rising awareness and popularity, it’s still a work in progress inside many organisations. Businesses are struggling to get once-siloed teams to work together to overcome the obsolete notion that incorporating security earlier in and throughout the process conflicts with today’s need for rapid, agile software delivery.
Looking towards the end of this year and into 2019, more companies need to embrace DevSecOps and ensure that the integration of security into DevOps becomes standard operating procedure across industries. At a time when high-profile attacks have made cybersecurity one of the world’s most pressing concerns, DevSecOps represents a clear path forward towards addressing security in enterprise application development.
There’s good reason for optimism. DevOps – the unification of Development and Operations through collaborative processes and heavy use of automation to deploy software faster – is gaining traction. Nearly half of respondents said their companies have already adopted or are planning to adopt DevOps practices and another third reported their companies are considering it, according to one survey.
With DevOps gaining momentum, it’s a small leap to apply the same culture of collectiveness, automation and persistent monitoring to embedding security throughout the development pipeline.
Traditionally, enterprises have dealt with security from an outside-in approach. The security team gets involved only after code is nearly final and “hardens” it using techniques such as firewalls and DMZ topologies before performing penetration tests, SQL injections, buffer overflows and other attack techniques. These final checks can take weeks or even months to complete.
DevSecOps, on the other hand, calls for a shift-left model that requires development, operations and security teams to work collaboratively earlier in the process to detect security vulnerabilities in every phase, from design to deployment. In this paradigm, everyone involved in developing software must share responsibility for security.
Obviously, this is a challenging transition. It requires developers who have been focused short milestone sprints to feed the iterative development beast to step out of their comfort zone and learn new skills and tools.
Meanwhile, security team members must step out their own silo and empathise with developers who are charged with constantly innovating and delivering new end user features as rapidly as possible. So what should an organisation do to get its DevSecOps initiative off to a good start or make sure an existing one keeps running smoothly?
To start, as with any collaborative endeavor that brings people together from different backgrounds, experiences and outlooks, it’s important to acknowledge the possibility of conflict up front and deal with them head on. Senior leaders should be involved to explain why the DevSecOps ethos is so vital to the company’s future, and hold everyone accountable for advancing its success.
On a practical level, development, operations and security teams must work together to determine which of their existing processes and automation tools can integrate well into a DevSecOps environment.
Since any particular application will have specific requirements for security and reliability, domain experts need to be part of the team to ensure that the code is being written to address them and that test coverage is performed early in the process.
Teams should pay close attention to the Open Web Application Security Project (OWASP) top 10 list of web application vulnerabilities, which was recently updated. These are the most common exposures, such as injection and cross-site scripting, that DevSecOps-minded teams need to flag as early as possible in the development process.
In an era of ever-heightening attack risk, integrating security in the software development lifecycle from start to finish seems low-hanging fruit in companies’ efforts to make security the number one priority.
