Rawpixel - Fotolia

The rise of DevSecOps

The increasing complexity of security threats facing enterprises is leading to DevSecOps approaches, which combine operations and development with security, so that all business units are involved in security operations

This article can also be found in the Premium Editorial Download: Computer Weekly: Modernising IT at the Bank of England

Collaboration is at the centre of DevSecOps, with traditional IT security operations joining with sales, marketing, human resources and other departments to play a part in protecting the company against security risks.

“I think experience has shown over recent years that operational security, or rather the lack of it, can have just as devastating an impact as some technical vulnerability,” says Alan Woodward, computer security specialist and visiting professor at the University of Surrey.

“Security has always been about people, process and systems. What is happening now is that the people and process part is becoming better formalised as a discipline in its own right,” he adds.

Companies that start the journey to DevSecOps need to view security as not just the security team’s problem and enable operations to react effectively to all manner of constantly evolving threats. Processes will have to change to reflect this new approach, but there must be an equally significant shift in corporate culture.

A member of the marketing team, for example, could flag a phishing email and an engineer may report a cross-site scripting (XSS) vulnerability.

“DevSecOps is a growing movement to incorporate security into DevOps practices in order to make sure flaws and weaknesses are exposed early on, whether that is through monitoring, assessment or analysis,” says Mary-Jo de Leeuw, director of cyber security advocacy for Europe, Middle East and Africa at cyber security professionals’ training and certification organisation (ISC)2.

Security breaches have the potential to cause serious financial and reputational damage, with regulations such as the EU’s General Data Protection Regulation (GDPR) opening up firms that have inadequate safeguards to substantial fines. This environment puts renewed pressure on firms to identify security gaps and quickly provide patches before hackers seek to exploit them.

According to Gartner, by 2020, 99% of vulnerabilities exploited by hackers will have been known to security and IT professionals for at least a year.

“We need to take a more pragmatic, more collaborative, as well as a developer and operations-oriented approach to security in order to be effective and to keep pace with the speed of change in software, the web and other parts of the IT estate,” says de Leeuw.

“In a world where software can change and respond to customers’ needs multiple times a day, I really think that old security models are simply no longer valid.”

Business benefits

An increasing number of organisations are embracing the DevSecOps approach. A Gartner report found that, by 2021, DevSecOps processes will be used by 80% of development teams, growing from just 15% in 2017.

It is hard to argue that the faster development times, lower costs and enhanced application security offered by DevSecOps approaches are not an attractive proposition for many organisations dealing with an increasingly complex range of cyber threats.

Unlike more traditional models, where systems were built by developers and then scrutinised to uncover vulnerabilities, DevSecOps builds security in at the code level. There are distinct business benefits to this, most notably the ability for developers to identify and fix security gaps faster and earlier in the development lifecycle. This can vastly reduce the need to perform costly, unforeseen remedy work down the line.

Scott Nicholson, director of cyber security consultancy Bridewell Consulting, says: “Without having a DevSecOps approach, organisations may run into the risk of operating online with software vulnerabilities or a false sense of security that traditional security assurance and testing approaches will provide the answer. It makes absolute practical business sense to adopt a DevSecOps culture.”

Read more about DevSecOps

The State of Software Security (SOSS) report, published by application security firm CA Veracode, also identified the security benefits of DevSecOps practices. Flaws were fixed 11.5 times faster in companies with the most active DevSecOps programmes, compared with those that had not implemented DevSecOps.

Driven by the need to increase innovation and efficiency, digital transformation initiatives are now commonplace in businesses of all sizes. But rapid technological advancement can often come at the expense of security, with some firms considering security an obstacle that slows down progress. DevSecOps can help bridge this gap and make sure security is not sacrificed, through the use of automation tools.

By making use of tools that enable code scanning to be automated and almost instantaneous, DevSecOps removes most of the time-intensive human work. Instead of staff waiting for security alerts to pop up, DevSecOps solutions can actively monitor programs and analyse results from such code checks.

“When security can be automated, it is far more efficient,” says Brook Schoenfield, master security architect at security consultancy IOActive. “Once again, by being coded into the build and deployment chain, security tests and checks become a natural output from adopting DevSecOps.

“There are tasks within software security that require human analysis. This is not to say that in some environments, portions or even a fair amount of typically human analysis security tasks cannot be automated, at least in part.”

Transitioning to DevSecOps

Moving away from legacy security approaches and adopting DevSecOps is far from an overnight process and there is no one-size-fits-all solution, leaving each company responsible for making its own comprehensive migration plan.

But it is unlikely to be a successful changeover if current development processes are not fully known and there is no well-defined understanding of the exact threats that are being defended against.

There is common ground between DevSecOps and other programming philosophies around development practices, but the increased attention placed on security throughout the development cycle sets DevSecOps apart.

If cross-site request forgeries (CSRFs) and SQL injection attempts top the threat list, companies should ask themselves whether their teams have the right skills to evaluate these challenges proactively.

Bridewell’s Nicholson suggests making sure existing toolsets provide built-in security functionality and ensure that wider infrastructure security considerations are examined, as well as looking at what processes can be automated.

“Once organisations have answered these questions, they can start to develop a target operating model, which articulates where they want to be in terms of having a DevSecOps capability and what they need to do to achieve this,” he says.

Continuous security checks

Continuous security checks allow vulnerabilities to be found and addressed far more quickly than traditional methods can achieve. IBM has estimated that the cost of fixing issues at the software design stage is 100 times lower than fixing them during maintenance of a live product.

The growth of DevSecOps is already changing dominant cyber security strategies, as its benefits become more widely visible. “It ensures higher levels of assurance within software development, expediting the design to go-live process,” says Nicholson.

“The concept of embedding continuous feedback loops within the different stages of the pipeline introduces a level of automation, enables bug fixes to be applied at pace, and maintains a level of self-governance without the bureaucracy associated with traditional system development life cycle approaches.”

DevSecOps may have been considered a mere buzzword a few years ago, but as a more joined-up security approach is required to protect enterprises from constant threats, it has clearly moved far beyond this status.

The DevSecOps approach can provide an effective framework to repel nefarious actors, at the same time as improving efficiency and enabling innovation throughout a company.

Next Steps

Apiiro wins RSA Conference Innovation Sandbox Contest

Read more on Application security and coding requirements