Broadening the concept of devops, devsecops is an emerging organizational and cultural framework encompassing the orchestration of development, IT operations and security teams. In practice, its enabling technologies—continuous integration (CI) and continuous deployment (CD)—have transformed software development to make it agile, more reliable and more collaborative and incremental. Acceleration and precision have enabled state-of-the-art software enterprises to operate in ways not unlike the industrial factories of the past. And, like past industrial revolutions and manufacturing-based economies, the app economy depends on superior quality, secure products and high degrees of customer satisfaction in order to survive and thrive. As a result, the responsibility for ensuring the stability and resiliency of applications—from the production stage right through to consumer use—is pulled forward in the cycle to include developers.
This “shifting left” means that security testing can be deeply incorporated into app coding earlier, which heavily increases the likelihood that secure code will be produced in the first place, without costly late-stage fixes further down the road. However, this paradigm shift has a bunch of implications for security professionals and developers alike. It’s time to rethink responsibilities, break down silos and revamp the engagement model between the actors in a devsecops cosmos.
An iterative process no longer makes sense
In the pre-digital era, security testing for apps was solely the domain of the security folks, making the process complex, costly and lengthy. Testing was typically performed at last minute, right before the code was released for production—or worse, after the app was deployed to the world. Because of ambitious planning and tough deadlines, some releases even went live without any fixes at all—sometimes with disastrous consequences. On one hand, detecting and fixing security-related issues late in the development process was a major cost burden. On the other hand, when things went south post-release, the less-expensive rush to market proved to be false economy.
But longstanding development paradigms are shifting, and security testing has transitioned from its usual late-in-the-game stage to become deeply embedded right from day one. Many organizations today use application security frameworks that require certain tests at various stages of development. This is an effective approach to application security that can substantially mitigate risk and, ultimately, result in much better outcomes. However, the number of applications is growing exponentially and the development cycles are accelerating at breakneck pace. Consequently, some organizations having a hard time to keep up with the demand for thorough, consistent and timely testing. The security folks never seem to have enough resources and capabilities to scale this undertaking.
Stronger collaboration needed
Not only is the security professional’s role changing in this new paradigm; cultural changes will also need to be taken into account. In terms of culture, devsecops arguably represents a bigger change for security than for dev or ops teams. Like it or not, security professionals must embrace this cultural shift and change their mindset, or get left in the dust. As the old-school silos crumble and previous demarcation lines are blurring, security is now a joint task and everyone’s responsibility. In turn, professionals in the field will have to alter their deep-rooted privacy mentality and start to share their reporting and platforms more openly with others across the organization, even those with whom they may have once been reluctant to share with.
Nevertheless, that sharing needs to happen, and in all directions. For instance, it’s no longer feasible to make extensive security demands of development teams without any knowledge of their own constraints and priorities. Security and development need to seek much closer alignment and collaboration, which means understanding each other’s pain points in a far more granular way. The days of simply handing developers a long list of security-related code defects, heading to the water cooler, and checking a box on a departmental to-do list are over.
From control-based to context-based security
Context-based information security is becoming more important than ever as IT consumerization and cloud and mobile computing erase network perimeters that used to be rigidly controlled. Due to the erosion of what was once a well-defined security perimeter, traditional “control-based” security solutions such as hardware firewalls must evolve to become “context-based” solutions driven by factors such as “Does the application process/store sensitive data?” and “Is this a private, internal application or a public-facing one?”
“This is another area where the culture of devsecops can be a big help,” says Mike D. Kail, Co-Founder and CTO of Cybric. “Once again, security people must collaborate with application developers to fully understand the aforementioned context, and then automate security approaches and continuously measure improvements in overall resiliency.”
Make no mistake: devsecops is poised to disrupt and transform the future of the app economy. As this framework unfolds, it will also change how people do their jobs, and even what their core responsibilities are. The security-related tasks in the development process are evolving radically—and it’s a one-way trip. There’s no going back. But it’s also something positive and perhaps long overdue. It’s a unique opportunity to take application security to a whole new level and free up the security experts to spend time on more value-creating activities such as advising and coaching when it comes to safeguarding digital business models. The key is to understand what’s driving the shift and its implications for the security team—and to be prepared to not only survive it, but thrive as a result.