We look forward to presenting Transform 2022 in person again on July 19 and virtually from July 20 to 28. Join us for insightful conversations and exciting networking opportunities. Register today!
As technology becomes more complex, the security methods designed to protect and shield it also become more complex.
Existing security issues are pervasive and evolving, and new issues are constantly emerging that require increasingly advanced cybersecurity measures—DevSecOps is one of them.
DevSecOps is defined as the practice of addressing development, security and operations simultaneously across the entire application lifecycle.
“Data security considerations are addressed throughout the pipeline, not at the end,” said Meredith Bell, CEO of DevSecOps platform company AutoRABIT.
“This is to ensure that security vulnerabilities are found and fixed with the same quality, scope and speed as development and testing processes,” and to ensure each update supports a stable system, he said.
Mike O’Malley, SVP of strategy at IT services company SenecaGlobal, agreed that “it means thinking about application and infrastructure security from the start.”
Cybersecurity and software development efforts are combined so that security is built into every phase of the software development lifecycle – from initial design through integration, testing, deployment and software delivery.
In some cases, companies are incorporating security measures even earlier in the development cycle—a sort of “pre-step before devops” or, as O’Malley called it, “PlanSecOps”.
“So security isn’t just built in during development, it’s even built into frameworks before (developers) start coding,” he said.
DevSecOps and Devops overlap
Still, there’s no industry-standard definition or approach to DevSecOps, said George Spafford, VP analyst at Gartner — making it very similar to the devops from which it descends.
The term devops was coined about a decade ago, and the concept involves the combination of software development and IT operations. The ultimate goal is to shorten system development lifecycles and provide continuous delivery and high software quality. Devops, in turn, encompasses several aspects of the agile methodology, where projects are broken down into multiple phases to enable continuous collaboration and improvement.
As Spafford noted, “DevSecOps is still Devops, but it is explicitly stated that there is a need to work with information security and consider the necessary controls to mitigate risk.”
The benefits are the same as for developers, provided companies consider “everyone involved” – ie the enhanced ability to deliver customer value at the cadence/speed the customer requires, while managing risk.
Agile development and Devops/DevSecOps can be powerful when combined, especially when it comes to AI and other endeavors that require extensive and continuous experimentation and learning.
Still: “It shouldn’t be pursued just because it seems like a good idea. People should use Devops/DevSecOps where it makes sense, where there is a need,” said Spafford.
Especially compared to the waterfall approach—a linear approach to project management that requires completion of each phase before moving on to the next—agility is beneficial in situations where requirements are unclear or rapid changes are occurring. Spafford said Waterfall’s Achilles’ heel is that it requires users to identify needs in advance, when the needs are least understood. This means creating a project plan with a tremendous amount of work in progress and dependencies.
Agile allows developers to focus their efforts on customer outcomes and make regular releases, “maintaining the feature backlog to reflect the latest insights,” Spafford said.
“This is a powerful approach because it allows for incremental delivery of customer value, learning and continuous improvement,” said Spafford.
But organizations must also consider the downsides: overcoming existing culture and encouraging people to learn and change. These can be addressed, Spafford noted, but they must be considered from the start and throughout the process.
And finally, Devops and DevSecOps are “not a progression where you start with one and then move on to the other,” Spafford said. “By all means, start small, learn, improve, demonstrate value and grow your footprint.”
Growing concept, adoption
As security vulnerabilities proliferate, DevSecOps is becoming more defined as a concept and increasingly adopted.
According to Emergen Research, the global DevSecOps market will reach $23.42 billion in 2028. That’s a significant increase in compound annual growth rate (CAGR) of 32.2% from $2.55 billion in 2020.
This coincides with the growth of the devops market, which is projected to grow by more than 20% from 2022 to 2028, according to Global Market Insights. The company expects the segment to grow from about $7 billion to more than $30 billion over that period.
An increasing need for repeatable and adaptable processes, custom code security, and automated monitoring and auditing is driving this growth, Emergen reports. And a growing number (and iterations) of platforms and tools are emerging – from Unisys, Kryptowire, Red Hat and Rackner.
Increased protection in an “ugly” landscape
“DevSecOps is no longer an option” — it’s a necessity,” Bell said. Likewise, “security is not an afterthought.” Rather, it should be integrated into every phase of the DevOps development cycle.
O’Malley agreed, noting that it’s common practice to add security to software at the end of the development cycle.
This wasn’t a significant issue until new development practices, including agile and devops, became more prevalent to shorten development cycles, he pointed out. Amidst this rollout, the pinning approach caused many delays or was skipped altogether in order to push new features to customers, creating more security vulnerabilities.
DevSecOps “is getting even more critical,” O’Malley said, emphasizing, “It’s ugly out there in security.”
Hackers in particular have gotten smarter and more sophisticated. They are increasingly developing ways to bypass multi-factor authentication directly through access points in public clouds, apps, mobile and IoT devices; attack organizations directly and force them to pay ransom; and to use so-called “stalkerware” apps to record conversations, locations, and anything a user types “while disguised as a calculator or calendar,” O’Malley said.
He also pointed to the mainstreaming of cloud computing as a factor. As predicted by Gartner, by 2023, 70% of all enterprise workloads will be deployed in the cloud, up from 40% in 2020. Additionally, by 2023, enterprises across all industries are expected to have at least nine different cloud environments.
Hosting data and applications in so many places adds complexity that can make cloud security operations (or CloudSecOps) difficult to manage. And while it offers numerous benefits, not the least of which is cost and flexibility, the cloud also opens up more entry points. Businesses need to secure larger areas, and since access isn’t limited to physical location, “everyone is a potential threat,” O’Malley said.
Attackers can use third-party apps, employee credentials and bots to gain access, increasing the need for modern cybersecurity measures.
The shift to remote work and ongoing digital transformation have increased the vulnerability of organizations, Bell emphasized. Secure apps and continuous updates allow organizations to adapt without exposing themselves to attacks.
“Companies using DevSecOps solutions will experience fewer security drills in later phases and will deliver more secure, higher-quality code,” Bell said. “Pushing a development project through production and incurring technical debt is a recipe for disaster.”
Achieve cyber resiliency
When it comes to protection, having the right gear is key, Bell said.
Automated release management is an essential aspect of any DevSecOps strategy. This is the process of planning and working through the application development pipeline – from the earliest preparatory stages through development, testing, deployment and continuous post-release monitoring.
Continuous integration and continuous deployment (CI/CD) tools help strengthen testing processes and secure potential points of attack before the production phase, Bell said. Data backup tools can also be employed to automatically route data to the right place and maintain a consistent interface for employees and customers.
Protection also consists of helping employees become more “cyber-resistant”.
From communicating best practices like updated user permissions to implementing strong passwords to strengthening the ability to detect phishing attempts, Bell emphasized that “open communication is the key to success”.
VentureBeat’s mission is intended to be a digital marketplace for technical decision makers to acquire knowledge about transformative enterprise technology and to conduct transactions. Learn more about membership.
https://venturebeat.com/2022/07/15/devsecops-what-enterprises-need-to-know/ DevSecOps: What enterprises need to know