How DevSecOps can help organizations increase security, move faster and save money
With developers under constant pressure to create more software in less time, the last thing you need is for your code to fail at the end of the development lifecycle. No developer wants to create inoperable or insecure code.
We know that most software products reach the market with flaws or vulnerabilities. On average, more than 85 percent of all software applications have at least one vulnerability, and more than half of flaws remain unaddressed for one to three months after first being discovered.
The sooner a developer can identify, view and correct a flaw, the more efficient it becomes to fix in the software development life cycle (SDLC). That is the underlying philosophy of DevOps. Despite the somewhat negative connotation, failing early in development can be beneficial in deploying software to market more quickly.
The most advanced organizations today employ a DevSecOps model, which tends to incorporate more frequent security scans, incremental fixes and faster rates of flaw closures into the SDLC. More importantly, it allows security teams to shift left to test software products against security standards earlier in the development process.
According to Gartner, more than 80 percent of development teams will implement DevSecOps by 2021. In 2017, that number was around 17 percent.
In Veracode’s latest “State of Software Security” report, we discovered companies that adopt a DevSecOps approach to development are addressing software vulnerabilities more than 11 times faster than companies that use a more traditional software development method. In the process, DevSecOps companies are innovating faster, saving money and becoming more efficient in how they identify and resolve new risks.
By integrating developers with IT operations and focusing everyone on making better security decisions, DevSecOps can help deliver safer software with greater speed and efficiency.
Introducing security earlier in the development process creates a sort of blueprint for teams to build within the specifications of major IT regulation and helps reduce risk by fixing vulnerabilities before they can be exploited. Think of it like building an apartment complex according to city codes with inspectors integrated in the construction crew.
In practice, DevSecOps can add some friction and hinder the development process. Traditional tools for testing code and assessing application security risk simply weren’t built for the speed that DevOps testing requires.
To make DevSecOps successful, development teams need to start with automated testing tools, as relying on manual processes can’t possibly keep pace with accelerated development timelines. Tools that can be used in an integrated development environment (IDE) are key, as they allow developers to integrate security into their workflow rather than having to launch a new environment whenever they need to test code. Solutions that check for flaws during the coding process enable developers to address vulnerabilities early on when fixes are the most cost-efficient. And because DevSecOps is equally concerned with security when software is in production, development teams need tools for testing applications after release. Development teams, meanwhile, must be comfortable with changing the way they work.
Business leaders must recognize the importance of integrating security with development and communicate that priority to development teams. New regulations such as the EU General Data Protection Regulation (GDPR), which can fine companies up to 4 percent of their revenue for failing to disclose processes related to data breaches, are now in place. All businesses must be motivated to operate with a security-first mentality that permeates through the business, including within development teams. Veracode data shows that customers taking advantage of DevSecOps’ continuous software delivery are closing their vulnerabilities more quickly than the typical organization.
DevSecOps doesn’t always require security personnel to be physically involved in the development process. Companies can and should train developers on basic security techniques and offer security resources to help developers become responsible for the security of the software they build.
As the DevOps movement has unfolded, security-minded organizations have recognized that embedding security design and testing directly into the continuous software delivery cycle of DevOps is necessary. This is the genesis of DevSecOps principles, which offer a balance of speed, flexibility and risk management for organizations that adopt them.