“Development, operations and security are fundamentally intertwined. A well-designed developed and managed system is the foundation of a secure system. DevOps must evolve to a new vision (that) balances the need for speed and agility of enterprise IT capabilities with the enterprise need to protect critical assets, applications and services.”
Gartner analyst Neil MacDonald wrote those words back in 2012 when he and colleague Cameron Haight introduced the concept of DevSecOps – the seamless integration of security experts, processes and tools with DevOps workflows so that security is a priority right from the start and at every phase of the development pipeline rather than tacked on at the end.
More than five years later, DevSecOps has become one of those trendy acronyms that gets a good deal of attention in the IT trade press and at conferences, but many enterprises are still working to find that balance between accelerated development cycles and a “security is everybody's responsibility” mindset.
Despite DevSecOps' rising awareness and popularity, it's still a work in progress inside many organizations to get once-siloed teams to work together and overcome the obsolete notion that incorporating security earlier in and throughout the process conflicts with today's need for rapid, agile software delivery.
It will be important in 2018 for more companies to embrace DevSecOps and ensure that this extremely sensible methodology eventually becomes standard operating procedure across industries. At a time when headlining-making attack after attack has made cybersecurity one of the world's most pressing concerns, DevSecOps represents the best path forward toward addressing security in enterprise application development.
There's a good reason for optimism. DevOps – the unification of Development and Operations through collaborative processes and heavy use of automation to deploy software faster – is gaining traction. Nearly half of respondents said their companies have already adopted or are planning to adopt DevOps practices and another third reported their companies are considering it, according to one survey.
With DevOps gaining momentum, it's a small leap to apply the same culture of collectiveness, automation and persistent monitoring to baking in security throughout the development pipeline.
Traditionally, enterprises have dealt with security with an outside-in approach. The security team gets involved only after the code is nearly final and “hardens” it through techniques such as firewalls and DMZ topologies before performing penetration tests, SQL injections, buffer overflows and other attack techniques. These final checks can take weeks or even months to complete.
DevSecOps, on the other hand, calls for a shift-left model that requires development, operations and security teams to work collaboratively earlier in the process to detect security vulnerabilities in every phase, from design to deployment. In this paradigm, everyone involved in developing software must share responsibility for security.
Obviously, this is a challenging transition. It requires developers who have been focused short milestone sprints to feed the iterative development beast to step out of their comfort zone and learn new skills and tools.
Meanwhile, security team members must step out their own silo and empathize with developers who are charged with constantly innovating and delivering new end-user features as rapidly as possible.
So what should an organization do to get its DevSecOps initiative off to a good start or make sure an existing one keeps running smoothly?
To start, as with any collaborative endeavor that brings together people from different backgrounds, experiences and outlooks, it's important to acknowledge the possibility of conflict up front and deal with them head-on. Senior leaders should be involved to explain why the DevSecOps ethos is so vital to the company's future and hold everyone accountable for advancing its success.
On a practical level, development, operations and security teams must work together to determine which of their existing processes and automation tools can integrate well into a DevSecOps environment.
Since any particular application will have specific requirements for security and reliability, domain experts need to be part of the team to ensure that the code is being written to address them and that test coverage is performed early in the process.
Teams should pay close attention to the Open Web Application Security Project (OWASP) Top 10 list of web application vulnerabilities, which was recently updated. These are the most common exposures, such as injection and cross-site scripting, that DevSecOps-minded teams need to flag as early as possible in the development process.
Here's hoping that DevSecOps really goes mainstream in 2018. In an era of ever-heightening attack risk, integrating security in the software development lifecycle from start to finish seems low-hanging fruit in companies' efforts to make security Priority #1.