What Teams Should Know about DevSecOps Ashley Dotterweich
In the past, many teams were able to get by with security as an afterthought — or so it seemed. But as development cycles have become faster and devices more connected than ever before, there’s no mistaking the fact that every team needs to make security a priority.
More organizations are starting to implement DevSecOps and integrating security into the development process; one study found that while only a small percentage have fully-implement DevSecOps today, 68% of companies plan to use DevSecOps practices within the next two years. We chatted with Mike Kail CTO of Everest.org, to learn more about what teams need to know about DevSecOps as they begin their journey towards shifting security left.
The Best Time to Start Implementing DevSecOps is Now
As DevOps practices gain broader adoption, security is often still a gap in the process; according to a survey of DevOps practitioners, only about half of organizations with mature DevOps processes perform automated application security analysis throughout the development process.
But the cost of not integrating security into application development is high. A study from IBM found that businesses without formal security protocols in place spent on average $4.74 million after a breach. “Every year there are thousands of data breaches, largely a result of source code and application-level vulnerabilities, but many organizations still take an antiquated approach to application security,” says Mike. “Organizations need to flip their security approach from defensive to offensive in order to anticipate and thwart attacks before they happen.”
Culture is the Biggest Barrier to Change
“The biggest barrier to DevSecOps is culture, not technology,” says Mike. “Development teams are more concerned with delivering new features and functionality at an extremely high velocity. Security teams are often seen as a blocker to delivery. They can create a lot of fear and uncertainty. To successfully transition to a DevSecOps methodology, both teams must be willing to make application security an integrated strategy and continue to drive security awareness for developers.”
Mike suggests that teams should look to successful implementations of DevOps as they model a more progressive, security-focused culture. “The core tenets of DevOps are collaboration, automation, measurement and sharing. We need to build a culture based on those ideas for application development and security.”
Scaling Out Can Hinder DevSecOps
For many large initiatives, the first questions a team might ask are, “Should I hire more people for this?” or “Do I need additional software/tools for this?” But for teams that are keen to start implementing DevSecOps, Mike warns against investing in tooling or hiring too early. The shift in your existing culture is critical to the success of a DevSecOps process, and that putting the focus on new hires or new infrastructure can create additional roadblocks to that shift:
“A scale-out approach works extremely well for most infrastructure architectures and applications, but it is completely ineffective in terms of additional security tools and hiring more Security Engineers. This shifts the Security team even farther away from the Development and Delivery process and it doesn’t embrace the core tenets of the DevOps culture,” says Mike.
Tap Into the Security Community
Communication is at the heart of modern security practices — whether that’s building better communication practices internally or creating intelligence sharing relationships with other organizations. DevSecOps is still a new and evolving discipline, and organizations that are just getting started can benefit from learning from other teams with more mature DevSecOps practices already in place. Mike recommends checking out #DevSecOps on Twitter to get vendor-neutral input on the space. For more from Mike Kail on DevSecOps, application security and more, check out his Medium blog.
Learn More about Best Practices for Security at DevGuild: Enterprise Security
Developer companies face a unique set of challenges when it comes to designing, developing and selling secure products. At DevGuild: Enterprise Security, CISOs from organizations like Atlassian, HashiCorp and Splunk discussed topics including “Democratizing Security from the Top Down” and “Disclosing Incidents from Routine to Breach.” Watch the sessions here and check out other security content in the Heavybit library.