In many organizations, DevOps functioned separately from security. With the increased speed to develop and deploy, security controls are often an afterthought. However, the DevSecOps movement to include security sooner rather than later is proving to pay off.
DevOps is a set of practices that employs continuous integration processes by breaking down the silos between software development and IT operations.
Traditionally, many organizations separated teams by function in order to develop, deploy and govern applications within an infrastructure. However, the race to innovate and digitally transform a business has sped up the pace to produce and release new features. Security is often an afterthought, which reduces quality and makes for a lot of unhappy customers. Adding an application code change near the end of the development cycle is not only extremely costly (due to additional testing and re-certification), it reinforces the common perception that “security slows us down.”
As cycle times accelerate and development teams adopt more Agile methodologies to release software faster, continuous integration through DevOps aims to deliver more frequent releases, with more new capabilities to market, faster. It’s all about speed.
Using security best practices early in the software development lifecycle can create dramatic positive effects on cost and efficiency. However, within many organizations security teams continue to exist in a silo—just as development and operations teams operated in silos prior to the DevOps movement. Because of this, an even newer movement has arisen that infuses security into the continuous integration/deployment process: DevSecOps.
The DevSecOps movement’s increasing popularity is due in large part to a methodology called “shifting left.” “Shifting left” is where software development teams focus on robust code from the start. This method moves security away from its reactive role as gatekeeper and more toward a preventative role. Security teams provide guidance and support for development teams and build security automation into the Continuous Integration/Continuous Delivery (CI/CD) development pipeline sooner rather than later.
In a DevSecOps environment, security is a shared responsibility that builds far greater collaboration and feedback, breaks down the barriers between development, operations, and security, to get features to market faster with lower cost and higher efficiency.
Even with security as a shared responsibility, security teams can’t expect developers to instantly become security experts and make the right security control decisions the first chance they get. Just like DevOps, DevSecOps is a philosophy that requires cultural change in the way applications are developed and deployed. However, if security teams focus on the five areas below, they can lower cost, increase efficiency, and improve ability to scale:
SHIFT LEFT
and build security into the process as early as possible in the development lifecycle.
MAKE THE SECURE PATH THE EASY PATH
by focusing on delivering packaged, frictionless security controls that are built into the developer’s (CI/CD) pipeline.
BREAK DOWN SILOS
to increase collaboration and feedback between development, operations, and security teams (App Devs, DevOps, and SecOps).
NURTURE SECURITY CHAMPIONS
within your development teams to keep security top of mind.
CREATE A BUILD PIPELINE
to build security controls and testing in the same tool the developer uses. This way, controls are applied automatically and consistently, and development teams don’t have to depend on security teams for every new release.