4 minute read
SECURING THE FUTURE
How To Embrace The Power Of Devsecops
DevSecOps, the integration of security practices into the DevOps methodology, plays a pivotal role in the success of enterprises for several key reasons. Incorporating security measures from the outset enables early detection and mitigation of vulnerabilities in software and infrastructure.
Advertisement
Moreover, DevSecOps promotes collaboration among development, operations, and security teams, fostering a culture of security awareness and accountability throughout the organisation.
According to Mike Fraser, VP & Field CTO of DevSecOps at Sophos, the ultimate goal of DevSecOps is achieving an “ITas-code” state, where security and operations are defined in code, ensuring consistent and secure deployments.
Tamer Odeh, Regional Sales Director at SentinelOne, highlights the importance of integrating security testing and analysis at every stage of the development process to detect and prevent security vulnerabilities early on.
“It also means automating some security gates to keep the DevOps workflow from slowing down. Selecting the right tools to continuously integrate security, like agreeing on an integrated development environment (IDE) with security features, can help meet these goals. The emphasis on automation and continuous integration and delivery (CI/CD) in DevSecOps, enables rapid and frequent software releases that meet the highest security and quality standards. However, effective DevOps security requires more than just new tools—it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later,” he says.
James Harvey, CTO Advisor EMEA at Cisco AppDynamics, explains that the evolution of DevSecOps from DevOps was driven by the recognition that the traditional DevOps model did not adequately address security concerns. Rather than retrofitting security into the build, DevSecOps emerged as a solution to integrate security management earlier in the development process.
According to Harvey, with the DevSecOps approach, application security begins at the very beginning of the build process, ensuring that applications are secure against cyberattacks even before they reach the end user. Moreover, this approach ensures continuous security throughout application updates.
There is now a widespread realisation among organisations that adopting a DevSecOps approach is the most effective way to navigate the escalating cybersecurity risks while maintaining development speed. Recent research conducted by Cisco AppDynamics revealed that 82% of technologists in the UAE consider DevSecOps critical in effectively protecting against multistaged security attacks targeting the entire application stack. Consequently, it comes as no surprise that 49% of organisations in the UAE have already embraced DevSecOps, with an additional 48% contemplating making the shift.
How does DevSecOps differ from traditional software development?
According to Eric Johnson, Senior Instructor at SANS Institute, traditional development workflows follow a gated and siloed approach, where development work is handed off to operations and security teams. This method, used in Waterfall and Agile development methodologies, creates a clear separation of duties among teams. However, this reactive approach only allows for security checks at specific points in time, often leading to the discovery of vulnerabilities too late in the workflow.
Jason Mitchell, SVP of Engineering at Delinea, emphasises that DevSecOps practices are rapidly becoming a necessity. In the context of SaaS API development, it is crucial to continuously update processes to accommodate new tools and ideas. Traditionally, software changes would be bundled together, followed by QA tests and periodic pen-testing.
“However, with the advent of fastmoving teams that release updates multiple times a day, the integration of security, automated tests, and delivery pipelines has become essential to ensure code security and quality. Organisations that fail to adopt these practices find themselves unable to keep up with the pace of development, and they may face security breaches resulting in financial penalties, loss of trust, and damage to their brand reputation,” he adds.
Fraser from Sophos says DevSecOps emphasises automation, which leads to solutions that are easily deployable and repeatable, enabling others to consume automation for specific use cases, including compliance, infrastructure deployment, cloud security, and even response actions to active threats. Through automation, engineers across tech teams can produce repeatable solutions that can be consumed by other teams, promoting shared responsibility for security within the DevSecOps lifecycle. This drives collaboration among development, security, and operations teams and increases operational efficiencies while enabling quicker response to threats with security baked-in across the DevSecOps lifecycle.
Common pitfalls to avoid While there is almost universal appetite for DevSecOps, the Cisco AppDynamics research uncovers a number of challenges that technologists are encountering as they look to make the transition to this new way of working.
The first challenge that organisations face is the lack of skills and knowledge in managing application security against evolving and sophisticated threats. Many technologists do not feel fully confident in their abilities to address the application security threats their organisation currently encounters. The shift towards a DevSecOps approach necessitates technologists, whether in DevOps, ITOps, or SecOps roles, to expand their skill sets and effectively collaborate as part of an integrated application team. Security professionals must acquire new skills and a deeper understanding of application development, while developers need to enhance their knowledge of security.
Harvey from Cisco AppDynamics highlights the second challenge, which is resistance to change. DevSecOps requires a significant cultural shift within IT departments. Technologists must overcome skepticism and suspicion towards other IT functions and embrace transparency in their work. They need to adopt new processes and structures that foster collaboration, mutual understanding, and recognition. IT leaders play a crucial role in emphasising the benefits of DevSecOps, not only in terms of enhancing the organisation’s security posture but also in relieving the pressure on technologists.
According to Kalle Björn, Senior Director of Systems Engineering at Fortinet ME, successfully adopting DevSecOps requires investments in technology and automation. Still, it should also prioritise awareness and training. Technology alone is not enough; organisations must educate their employees on the importance of collaboration, continuous delivery, and cybersecurity. This involves providing comprehensive training and support to enable employees to carry out their roles effectively.
Björn concludes by shedding light on the challenge of establishing a proper workflow for DevSecOps within the context of a zero-trust approach to security. To support a holistic zerotrust strategy, application, and data developers need to embrace a “shiftleft” design model approach to security. This requires closer collaboration between security teams and developers, recognising that developers may have less experience with security and require a different approach compared to traditional application development. By fostering this collaboration, organisations can establish an effective DevSecOps workflow that aligns with a robust zero-trust security framework.
