The competitive edge of DevSecOps
Bringing your Modern Software Factory to life.
As I have stated before, every company is essentially a software company. It’s how we connect and engage with customers and partners. Security is a critical part of enabling a “software” company to effectively engage with customers by building their trust through protecting their data.
Now that the development process is more automated, the days of security testing coming late in the process should be history. The implications are far too great for companies to continue to operate in this archaic way. Instead, security must be included from inception and play a part in the creation, manufacturing and delivery process.
However, a Freeform Dynamics survey (commissioned by CA Technologies) found that an organization’s culture has a profound influence on its ability to integrate security practices from the start as part of the software development lifecycle. This practice – commonly known as DevSecOps – is critical to business success in the digital economy.
While many agree that adopting a DevSecOps approach is good for business, the reality is that organizations are challenged to embrace it. This research study highlights those challenges and brings to light a hurdle that organizations are finding difficult to overcome – the organizational culture aspect.
The study found that 58% of respondents cited existing culture as a hurdle to being able to embed security within processes, while only 24% strongly agree that their organization’s existing culture and practices support collaboration across development, operations and security. On top of cultural limitations, less than a quarter of respondents strongly agree that senior management understands the importance of not sacrificing security for time-to-market success. This data points to an organizational culture gap that is impeding organizations’ ability to incorporate DevSecOps.
But there is light at the end of the tunnel. The study also introduces the concept of Software Security Masters (the top 34% of respondents), which are organizations that have been able to overcome these cultural challenges and fully integrate security into the software development lifecycle. According to the survey, the organizations that exhibit these attributes also report other benefits – such as 50% higher profit growth and are 2.5x more likely to be outpacing their competitors – when compared with the mainstream. This evidence shows that it can be done and that there are organizations that are doing it successfully.
The research findings shed light on the fact that an organization’s culture has a major impact on its ability to incorporate security into the development process, a practice that’s critical to business success in the digital economy. There are a few things to consider when driving improved agility throughout an organization’s cultural shift, ensure secure delivery and become a “Software Security Master”:
This means making sure that every part of the user experience is well thought-out, and that ease of use is paramount. Customers should be able to use products and programs without it being obvious that security is integrated into the technology – it should be seamless. By making sure the user experience first class, customers will build confidence in your product and your ability to protect their data.
Long gone are the days when security is considered after a product has undergone development. DevOps now sets expectations of greater flexibility and speed, and security must be part of those conversations as well. As new versions are iterated, with feedback consistently being incorporated, it is critical that improved security measures are included in each version. This allows for an improved product, worthy of measuring up to increasingly demanding customer standards.
The benefits of security integration throughout an entire business allows companies to become more efficient across the board, including development operations and quality control processes. Security must be a priority for everyone involved, otherwise it gets compromised for faster time to market, meeting deadlines, and implementing other priorities to serve a fast-paced business plan. Although security might take a larger upfront investment, the return can be significant in terms of customer trust, additional sales, referrals and the like.
Despite the advances in technology, there’s still a very human element to whether a company embraces security practices. I believe that the organizations that have achieved Software Security Mastery have cracked the code when it comes to figuring out a way to influence change – by breaking down silos and adopting agile practices – which are characteristics of the workplace of the future.