Begin Your Security Integration Into DevOps Today
You can argue that SecDevOps is an approach as old as time — or rather, DevOps — after all, it was Security that was the instigator of the problems in the Phoenix Project. However, it has come into focus in the last 5 years as 17% of companies had fully embraced DevOps by 2019, with another 69% at various points on their DevOps journey, have realized they cannot complete the transformation without including Security in DevOps.
This is one of the reasons why the transition to DevOps is not always easy, with more than 50% report that “that managing the people, processes and technologies associated and necessary for a DevOps transformation are all difficult.” Without Security included, organizations continue to create the bottlenecks that DevOps is designed to eliminate — a reputation that Security is eager to shed.
But more or faster DevSecOps tools do not fix this. Without appropriate end-to-end automation and orchestration, no Security integration into the SDLC will be complete. This is where SecDevOps comes in. And with the shift to work-from-home growing by 775% in Q1 2020, many of the DevOps transformations have been set into hyperdrive as DevOps is practically tailormade for remote work, making SecDevOps strategy is a must have for 2020.
As my Grandmother always reminded me, “Haste makes waste.” Her point (which was hammered into me from a young age often whilst doing dishes), was not to do things slowly, but rather the right way, because in the end, when you do it the right way, then you save time overall. And that’s where SecDevOps comes in.
2020 is almost over (thank God), why I am prioritizing SecDevOps now?
Let’s be clear: if you didn’t prioritize Security integration into your SDLC before 2020, you are behind the eight-ball as 9 out of 10 breaches begin due to defects in code. But it’s not too late, as a SecDevOps program can get off the ground before the ball drops in an empty Times Square. In fact, SecDevOps is a continual evolution and can be tackled in phases. And with the world having migrated to remote work — a paradigm shift that will extend beyond the era of COVID-19 — Application Security can no longer remain a nice to have in DevOps.
Project Managers are constantly focused on delivering their projects on time, on budget. And in the past this meant they had latitude to wait until near- or after production to begin security testing. But with the pace that DevOps demands with 56% of companies deploying builds weekly or more frequently (5% are hourly!), if security is not embedded in every step of the development process, then they will face an insurmountable security debt as part of their overall tech debt, which keeps companies from capturing the full benefits of DevOps.
But with so many vulnerabilities to contend with, how can Development and Security teams prioritize their remediations? Without the project-level context and visibility to prioritize vulnerabilities, teams are operating in the dark unable to understand what the most serious vulnerabilities are for that application, and whether or not they have been addressed. SecDevOps — no matter where you are on the maturity curve — provides the light in the dark abyss of lists of vulnerabilities.
By understanding the risk vulnerabilities introduce to a specific application — not just in the world of vulnerabilities — Security teams can significantly reduce alert fatigue, making sure Development teams prioritize vulnerability remediation in their workflow to reduce both cybersecurity and project-delivery risk. A win you can still have this year.
“Haste Makes Waste” –Nana
As it has become popularized, the core tenant of DevOps to reduce time-to-market and improve productivity has become confused with moving fast (“Move fast, break things” worked really well for Facebook to prevent data breaches…or not). Time-to-market is about the amount of time and effort it takes to make sure a product is market ready — it is a multi-dimensional function. While moving fast is just about the single dimension of time.
As my Grandmother always reminded me, “Haste makes waste.” Her point (which was hammered into me from a young age often whilst doing dishes), was not to do things slowly, but rather the right way, because in the end, when you do it the right way, then you save time overall. And that’s where SecDevOps comes in. It’s not about “Security-at-Speed” or “Shifting Left” — these are one-dimensional haste-based approaches. Rather, like DevOps, it’s about doing the right Security things at the right Development time to reduce overall waste in the SDLC, which comes out over time in bloated non-functional requirements, Application Security budgets, and product blow-ups, from re-writes to breaches.
When you follow the right end-to-end process (water, soap, sponge, then dishwasher, rather than straight into the dishwasher), you don’t just get a better result, but also save-time overall. While even I have succumbed to the allure of “skip the rinse” with modern dishwashers (stick with me, I promise I’m going somewhere), I’ve quickly realized that there are still certain foods that when not-prewashed can leave an even harder to clean-up mess — or even worse a stinky situation. And modern Development pipelines are no different. There is no silver bullet for making more secure code efficiently. It’s about understanding the context, complexity, and cost for every vulnerability within each project, which is why you need SecDevOps.
Secure Development Operations means you “Start at the Beginning”
If you do not integrate Application Security in from the start of the Development lifecycle, you’re only moving the problem somewhere else because you will never be able to understand the context, complexity, and cost of AppSec in the pipeline. SecDevOps — Secure Development Operations — makes sure Security, like every other functional requirement, is integrated into every step of Development.
When teams fail to apply SecDevOps to their processes starting at feature requirements, they ultimately run out of bandwidth to address security. But when they do start at the beginning that’s when both Security and Development teams can get the benefits of a fully deployed and integrated Application Security program. This gets them out of just vulnerability management to understanding the policies that can prevent them from the get-go, and knowing whether or not the application meets the organizational standards to be released into production.
The quote (from Alice in Wonderland) finishes: “…then stop at the end.” But in today’s software development pipelines — even if they’re not completely continuous integration/continuous deployment (CI/CD) — there is no end, rather it’s about continuous improvement. With end-to-end integration into the Development pipeline, SecDevOps then enables this continuous feedback loop so both Security and DevOps teams can move beyond just reducing risk, to improving developer productivity and time-to-market.
No DevOps Pipeline is Complete without Security Integration
With improving operational efficiency and eliminating bottlenecks serving as the foundation of DevOps, it has become clear to DevOps that no SDLC is complete without security — in fact, Gartner reports that by 2022, 90% of teams will add security into their DevOps practices, up from 40% today.
If you don’t begin this journey today, the drag that poorly (or not at all) integrated security puts on your development pipeline will leave you in the dust behind your competitors as your time-to-market and productivity will suffer.
