Fortune 500 Financial Firm: There’s No Reason Security Should Impede DevOps Speed
Speed or security? You can have it both ways with DevSecOps.
Not long ago, it might have taken a year for a company to release a new application—but now that same company may push out several releases in a single day. The shift to DevOps and agile methodologies has accelerated the development process to a dizzying new pace that's forcing businesses to rethink their approaches to security and vulnerability checks.
Still, a recent report found that more than two-thirds (68 percent) of business and IT leader respondents have taken security shortcuts to roll out apps and services more quickly.
To balance the speed of deployment with security, many companies are turning to experts like David Wayland. A senior security program manager for a Fortune 500 financial company, Wayland has been in the IT industry for more than two decades, including 15 years as a developer.
Prioritizing Security from the Start
So, what advice does Wayland offer to companies that need to reconcile security concerns with adapting to the fast pace of DevOps?
The key, he says, is injecting security into the development process from the very start, rather than making it a “check the box” step just before a release.
“Application security is no longer a nice-to-have. It's a must-have,” Wayland says, “requiring a process that addresses vulnerabilities before going to production. Security must become part of the thought process and an important part of the development culture.”
In some ways, Wayland says, it's actually easier (and faster) to build secure applications with DevOps than it was with earlier approaches like waterfall or agile. The reason? Developers now have numerous tools and APIs at their disposal, including Veracode, to automate security within their DevOps environments.
“In order to maximize speed to market,” Wayland says, "DevOps must be fully automated. And since every security platform today has an API, you can automate security just like everything else.”
But too often, he says, companies don't take advantage of those security APIs. Instead, they save security for the end of the development cycle.
QA has shifted left over the last 10 years. Now we're running security scans earlier in the process. That's because a bug caught in production is as much as 30 times more expensive to fix than one caught early in development.
— David Wayland, senior security program manager, Fortune 500 financial company
Shifting Left for Security
Today's DevOps security integration, or DevSecOps, is aligned with the overall Shift Left movement, in which developers work to find a security bug or vulnerability early in the development cycle at a point when it costs far less time and money to fix.
“QA has shifted left over the last 10 years," Wayland says. “Now we're running security scans earlier in the process. That's because a bug caught in production is as much as 30 times more expensive to fix than one caught early in development."
To check for security bugs and weaknesses, several companies Wayland has worked for have used software created by Veracode, an application security company. (CA Technologies acquired Veracode in April 2017.)
By incorporating security scans early in the process, developers can inexpensively and easily identify errors before they become expensive problems. The benefits can be personal, too. Developers can avoid reputational damage for bugs and vulnerabilities that could have been fixed before an application was pushed live.
Better Communication, Better Security
In order to effectively incorporate security into DevOps, developers need to better understand why the change is necessary.
“If you want to fully integrate security into your DevOps environment, then you need to talk to developers on their terms,” says Wayland. “This allows you to work closely, develop architecture, and understand what they're doing and what they're up against. When your application security people understand software development, then they can speak the same language."
That's where Wayland's 15 years as a developer come in handy. He understands the challenges and pressures that application developers face, and he can appreciate their concerns.
In order to bolster application security, IT leaders must first make it a priority in their companies' culture, Wayland says. Before a business can achieve any kind of culture shift, leaders must first understand and be part of that culture. Only then can a business weave security throughout its development and operations.
To learn more about balancing fast development with security, register for the free Hops and DevSecOps tour produced by CA Technologies and Veracode. This seven-city tour is coming soon to a city near you.