Just What Is DevSecOps?

by June 21, 2018

 “No such thing as bad publicity”? While that may have been true once, it’s no longer the case in today’s digital era.

We all want to make the headlines, but only for the right reasons. There are countless companies out there striving to become press darlings and be dubbed “the Airbnb of fill-in-the-blank” or “the next Uber.” But for enterprises taking tentative steps toward digital transformation, it’s more important to prevent getting in the headlines for the wrong reasons—their security.

The Security Challenge

Security breaches and leaks are seemingly becoming more and more commonplace. Spend a minute googling “data+breach” and flick through the top stories listed—chances are good that there’s been at least one incident reported today, another firm falling afoul of data security protocols and finding itself in hot water. Over the last few years, companies of all sizes have experienced major data leaks, and most worryingly, the size and scope of each new breach seems to outstrip the last. Moreover, there are some distressing statistics to be found. Approximately 62% of all cyber-attacks target smaller businesses, and according to Insurance Business Magazine, more than 31% of small businesses are “unable to sustain their operations for more than a week” after being hit by a cyber-attack.

Clearly, security threats are increasing and it’s becoming a challenge to keep up. DevSecOps may be the key to achieving just that. For those start-ups looking to become the next big thing, it seems the odds may just be stacked against them, unless they’re one of the increasing number of organizations adopting a DevSecOps mindset.

DevSecOps and Why It Matters

The basic principles of Developer-Security-Operations (DevSecOps) couldn’t be clearer and are built upon the idea that throughout the software development life cycle, everyone is responsible for security. While this may seem like an obvious statement, historically it hasn’t always been the case, primarily because developers haven’t been overly concerned with the security of an application; their focus has been on functionality.

DevSecOps, however, seeks to change this mind-set and eradicate these issues entirely by building security into the heart of the application release process, which is increasingly vital—as applications have become more complicated and advanced, so have the security issues they are faced with.

As we all know, a major part of DevOps is how applications are deployed and monitored, and automation plays a big part in this process. But if not observed properly, the automation that enables us to move faster than ever before, without compromising quality, may actually be introducing vulnerabilities.

Think of the access and permissions granted to automation agents or bots. They’re regularly given administrator level access, but how often are those privileges checked? Once the bot has made its environmental change, does it still require that administrator level access, or are you succumbing to privilege creep? Remember, for every administrator account you have, your level of vulnerability increases exponentially—each account is a potential back-door to your system, and therefore, your business.

DevSecOps seeks to mitigate issues of these kind before they become an issue. In the past, traditional security approaches were typically quite slow and cumbersome. Worse, they were either introduced very late in the deployment process, or established only after a vulnerability was discovered in a shipped product. The primary goal of DevSecOps is to find these vulnerabilities and encourage practitioners to build security processes and protocols throughout every stage of the development cycle, not introduce them after-the-fact.

Although it can take time to establish a fully functioning DevSecOps team—and a cultural shift is more likely to be needed than not—the benefits outweigh the negatives. In the long run, it will reduce the cost of your security expenditure and minimize the chances of you falling victim to a cybersecurity incident. Just like DevOps, DevSecOps seeks to provide better results at greater speed, through collaboration, communication and a greater emphasis on operations and security. After all, security is a key principle of the Modern Software Factory, and adopting robust security practices is one way to build a strong foundation for success.