Last Updated on September 8, 2023
Now well into its second decade, DevOps—the union of development and operations teams and processes—is a mainstream approach to software delivery, testing, and deployment across orgs of all sizes and verticals. Proven to accelerate time-to-market and improve build quality, DevOps solves a lot of problems.
But DevOps doesn’t solve the application security problem. Too often, security is still an afterthought that’s left largely until the end of the software development lifecycle (SDLC). In the interest of time and budget, applications ship with dozens of vulnerabilities that hackers are keen to identify and exploit.
Enter DevSecOps, the union of DevOps and Security. The goal of DevSecOps is to bring security people, processes, and technology to bear much sooner and more intensively in the SDLC.
A security mindset
Arguably the biggest difference between DevOps and DevSecOps is a security mindset that pervades the SDLC from when a solution is first architected through the coding process to deployment and updates. All along the way, security risks are being evaluated and engineered out.
Creating a security mindset means embedding security focused developers, testers, and operations people into your team. Or, for smaller teams, educating your team members to ensure they understand security and how it relates to their role. This is a big shift from a more typical focus on budget, features, and time-to-market.
André Keartland, Solutions Architect at Netsurit, relates: “In many development teams, there’s an idea that security is somebody else’s problem. Often that leads to a situation where bad code ends up shipping and applications have vulnerabilities in them getting exploited. Then everybody acts all surprised. But they were dead men walking from the beginning because they hadn’t thought of security from step one.”
Measurement drives behavior
It’s common for orgs to incentivize application time-to-market and functionality. But this can indirectly result in dismissing security as a speed bump.
“One of my favorite sayings is, ‘Measurement drives behavior,’” says André. “So, a big part of making DevSecOps work is you’ve got to get a lot of buy-in from the stakeholders. The people in the business who are paying for that application—they need to care about security.”
But many application owners don’t understand the true impact of not “doing security” upfront in their SDLC. Executives are increasingly aware of the criticality of being able to demonstrate to customers, regulators, and others that an application, especially a SaaS offering, is secure. Likewise, business leaders are aware of the potential impact of cyber-attacks. They may even be aware of the enormous cost disparity between fixing a security issue earlier in the SDLC versus after an app is deployed. But that doesn’t mean they’ll act accordingly.
André observes that many decision-makers have outmoded ideas about how security works: “We still in the year 2023 have people walking around thinking, ‘All I need is really, really good perimeter security. A firewall is going to save me.’ They might be very focused on the infrastructure security, but the apps within that infrastructure have big holes in them. And that’s where bad things happen.”
For more guidance on this topic, listen to Episode 114 of The Virtual CISO Podcast with guest André Keartland from Netsurit.