3 Must-Haves When Implementing DevSecOps

The term DevSecOps is already more than a dozen years old. DevOps—the practice of combining software development with IT operations to deploy applications faster—was first coined in 2008 and refined in a historic conference presentation in 2009. DevSecOps—the concept of baking in security at every stage of Agile development, rather than tackling it at the end—followed soon after. 

Despite a huge amount of industry conversation and activity around DevSecOps, it has been hard to tell just how much traction the movement has been gaining.

In a 2020 survey of 1,500 IT professionals around the world by the Synopsys Cybersecurity Research Center, 63% reported that they are incorporating at least some DevSecOps activities into their development pipelines. “At least some” indicates, however, that a portion of the adopters have yet to fully embrace DevSecOps. And what about the other 37% who haven’t incorporated it at all?

Nevertheless, two factors suggest that DevSecOps is starting to pass a tipping point on the way to mainstream adoption.

One, the prodigious number of cyberattacks that have been hitting companies and government agencies demand aggressive and proactive approaches to address security, which is exactly what DevSecOps does.

Two, the pandemic has been a powerful accelerant for digital initiatives. For example, global spending on public cloud services was predicted to grow slightly more than 23% in 2021, to $332.3 billion from $270 billion in 2020, according to a forecast from Gartner. In addition to the greater reliance on technology driven by COVID-19, increasing use of emerging technologies such as containerization and edge computing are fueling higher cloud spending. All of this points to the need for organizations to take security risk into account throughout the modern software development life cycle.

The logic behind DevSecOps is undeniable. Viewing security as a shared, collaborative responsibility among development, operations and security functions starting at the earlier possible stage—the methodology known as shifting left—rather than in silos enables the deployment of secure software at the speed and responsiveness that today’s business conditions require.

Companies that have successfully meshed the three functions under the broader DevOps paradigm enjoy radically reduced friction in software development and production. These organizations can deploy software faster and more safely with fewer design flaws, misconfigurations and other missteps that can lead to security issues.

Companies not as far along in their DevSecOps journeys tend to have espoused some of its practices but not consistently. Clunky, linear waterfall approaches persist here and there. Vulnerability management remains a reactive box-checking effort later in the life cycle, forcing developers to backtrack and fix the code rather than a proactive, preventative process seamlessly integrated from design to production.

The more advanced organizations typically focus on three key ingredients to assure success.

1. Education. DevSecOps is a cultural shift as much as a technological one. It requires a new mindset that empowers developers to take ownership for creating secure code at the beginning of the software development life cycle. Thus, IT leaders can’t simply snap their fingers and expect DevSecOps to take hold without educating team members on why it is so critical and how it drives rather than disrupts great work.

“Organizational learning and change are key to allowing DevOps to flourish,” senior Gartner analyst George Spafford wrote. “In other words, people-related factors tend to be the greatest challenges, not technology.”

This means that before introducing DevSecOps into an organization, it is important to connect the endeavor with the value it will bring and explain why it will allow the business to deliver more value to customers and improve its competitiveness.

2. Process. The right DevSecOps policies and processes can spell the difference between a nimble software development machine and one still bogged down by inefficiency.

For instance, many organizations that rely heavily on scanning tools to detect vulnerabilities assign nonsensical policies to their use. Let’s say that vulnerabilities of a particular score or type need to be eliminated before code is deployed to production. But what if the flaw resides in an unimportant section of the code and is unexploitable?

The best DevSecOps initiatives include policies and processes that seek to understand the entire context of a project, from design to production and handle everything in a way that reflects the context of true risk to security and compliance requirements rather than merely running all code through the same pipeline.

3. Tooling. Fact: Without the right automated tools that provide deep visibility into code, a DevSecOps implementation doesn’t stand a chance.

To carry out the qualities of collaboration and agility that DevSecOps promises, organizations should gravitate toward tools that give developers all the relevant information they need to make more informed decisions.

These tools must truly simplify the addition of security into DevOps methodologies by automating various manual processes that traditionally have slowed everything down—threat models, security and compliance reviews, pentests and risk assessments and the like. The tools can’t just aggregate data from silos — which fails to provide enough contextual information and generates too many false positives —they need to provide holistic relief to overburdened teams in securing applications at the feature request, commit, pull request and CI/CD stage.

By keeping these three elements in mind, organizations can fulfill DevSecOps’ potential as a true game-changer. As DevSecOps continues to cross the chasm to more universal adoption, organizations can look to earlier adopters for guidance on how to do DevSecOps right.