DevOps, that combination of software development and IT operations, is designed to improve the development life cycle, getting software to market quicker and improve overall deployment. But for a long time, security seemed to get lost in the cycle. Get the software in front of the customers first, was the idea, and add security in later. Except that wasn’t working.
Enter DevSecOps. This builds the security component into the software development life cycle in an automated fashion. Security becomes everyone’s responsibility. Software engineers and security teams collaborate to embed security solutions into the software as each step of development and deployment. In other words, security is no longer an afterthought in software development but becomes baked in to the product.
“DevSecOps differs from traditional security methods which tend to be more bureaucratic, involve mandates from a central authority, and can be monolithic or “one size fits all.’ These factors can actually hinder security measures as they often focus on insignificant hypotheticals versus actual real-world threats,” Scott Matteson wrote for ZDNet.
Why We Need DevSecOps
Traditional methods of adding security to software development are inefficient. It added security after a vulnerability was found. That may have been an acceptable approach when cyberattacks were few and less intense. But now, as hackers are using increasingly sophisticated attacks and the technology infrastructure has undergone huge changes over recent years – particularly with more applications being deployed via the cloud with improved agility, speed, and scalability, old security approaches simply don’t work anymore. When security is an afterthought in today’s IT infrastructure, what you end up with is a never-ending cycle of patches and updates to address vulnerabilities. It is an inconvenience to both those on the development side and on the customer end.
But by adding security to the DevOps process, your team is now able to address potential security concerns as the software is being built and more rapidly address vulnerabilities that are later found in the code. Just as important, development and security are work as a team rather as individual entities, improving communication and collaboration. This allows software to get to market quickly but customers can be more assured that they are getting a security-first product.
Challenges with DevSecOps
While DevSecOps benefits the software development process, there are challenges in its implementation. Perhaps the biggest challenge is bringing security and development together. “While many security people have a good understanding of how to find application vulnerabilities and exploit them, they often don’t understand how software development teams work, especially in Agile/DevOps organizations. This leads to inefficiencies and a flawed program,” Michele Chubirka wrote in a blog post.
There is also a need for a strong security staff within the organization to work with DevOps team. Most organizations are struggling already to fill their security skills gap so may not have the internal team to work with DevOps.
And DevSecOps won’t magically eliminate security vulnerabilities. Hackers will still find a way to exploit the software. Even though the DevSecOps team is able to more quickly mitigate a cyber incident, leadership may get discouraged that there is still a need to continue to address security after the software is deployed. This could result in the security component being eliminated from the DevOps process.
But the need for security in DevOps should override any of these challenges. As software becomes faster and more agile, and as hackers become more sophisticated in how they attack applications, DevSecOps will be more of a necessity than a luxury in software development.